CyberWire Daily - A new threat to routers. DoppelPaymer hoods collared. Ransomware hits a Barcelona hospital. Phishing in productivity suites. Espionage, hacktiism, and prank phone calls.
Episode Date: March 7, 2023HiatusRAT exploits business-grade routers. International law enforcement action against the DoppelPaymer gang. Ransomware hits a major Barcelona hospital. Productivity suites are increasingly attracti...ve as phishing grounds. Transparent Tribe’s romance scams. Cyberattacks briefly disrupt Russian websites and media outlets. Ashley Leonard, CEO of Syxsense, sits down with Dave to discuss their "Advancing Zero Trust Priorities'' report. Joe Carrigan on a warning from Microsoft about a surge in token theft. And trolling for disinfo raw material. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/44 Selected reading. Black Lotus Labs uncovers another new malware that targets compromised routers (Lumen Newsroom) Germany and Ukraine hit two high-value ransomware targets | Europol (Europol) European Police, FBI Bust International Cybercrime Gang (VOA) German police lift lid on worldwide cyber blackmail gang (Deutsche Welle) Europol Hits Alleged Members of DoppelPaymer Ransomware Group (Decipher) An international sting brings another win against ransomware gangs (Washington Post) European police move in on DoppelPaymer (Computing) Police Looking for Russian Suspects Following DoppelPaymer Ransomware Crackdown (SecurityWeek) Cyberattack hits major hospital in Spanish city of Barcelona (AP NEWS). Cyberattack Hits Major Hospital in Spanish City of Barcelona (SecurityWeek) Barcelona's Hospital Clinic hit by ransomware cyberattack 'from outside Spain' (Euro Weekly News) Phishers’ Favorites 2022 Year-in-Review (Vade) Kremlin Website Down Amid Reports of Cyber Attacks on Russia (The Daily Beast) Russian diplomat blames West for recruiting hackers for operations against Moscow (TASS) Don’t Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests (Proofpoint) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Hiatus Rat exploits business-grade routers. International law enforcement action against the doppelpaymer gang.
Ransomware hits a Barcelona hospital.
Productivity suites are increasingly attractive as fishing grounds.
Transparent tribes romance scams.
Cyber attacks briefly disrupt Russian websites and media outlets.
Ashley Leonard, CEO of Sixth Sense, sits down with Dave Bittner to discuss their Advancing Zero Trust Priorities
report, Joe Kerrigan on a warning from Microsoft about a surge in token theft,
and trolling for disinformation raw material.
From the CyberWire studios at DataTribe, I'm Trey Hester,
filling in for Dave Bittner with your CyberWire summary for Tuesday, March 7th, 2023.
Lumen's Black Lotus Lab report identifies a campaign they're calling Hiatus,
which they characterize as a complex, never-before-seen campaign
which has been targeting business-grade routers since June of 2022.
The malware converts compromised devices into covert proxies.
Black Lotus says, quote,
The packet capture binary enables the actor to monitor
router traffic on ports associated with email and file transfer communications, end quote.
Most of the victims so far have been identified in Europe and Latin America,
and the researchers, seeing no significant overlap with other threat activities,
see HiatusRat as a unique cluster. It constitutes both a staging mechanism for
subsequent attacks and threat to information transiting affected routers. Bleeping Computer
reports that two alleged members of the Doppelpamer group were targeted in a joint effort between
German and Ukraine law enforcement. Europol, the FBI, and Dutch police also saw involvement.
Europol said in a press release that officers
in Germany on February 28th raided the house of a German national who is believed to have played
a major role in the Doppelpamer ransomware group. Ukrainian police, despite the ongoing war with
Russia, were able to interrogate an alleged member of the gang apprehended in Ukraine.
Law enforcement is actively seeking out three more actors that they believe were the
core members of the gang. Eleven suspects altogether have been identified. A ransomware
attack against the Hospital Clinic of Barcelona on Sunday has severely disrupted the clinic's
computer operations, as well as forcing cancellations of 150 non-urgent operations
and as many as 3,000 patient checkups the AP reported yesterday.
The attack has been attributed to the Ransom House Gang, a group working from the outskirts
of Spain. Security Week wrote that Sunday's attack on the center crippled computer systems
at the facilities, laboratories, emergency room, and pharmacy at three main centers and several
external clinics. Thus, its effects weren't confined to a single location.
Approximately 150 elective surgeries, 500 extractions,
and around 300 consultations were unscheduled, according to Euroweekly News.
Urgent cases are being redirected to other locations.
Hospital director Antony Castells said in a Monday news conference,
quote,
We can't make any predictions as to when the system will be back up to normal.
Recovery is in process, end quote.
Vade has published its annual Fisher's Favorites report for 2022,
finding that Facebook, Microsoft, and Google were the most impersonated brands last year.
Notably, Google, which placed 28th in 2021,
jumped to the third most impersonated brand last year,
following a 1,560% increase in Google-themed phishing pages. The researchers attributed
this increase to the growing popularity of Google Workspace, and Vade predicts that Microsoft and
Google will be the two most widely impersonated brands in 2023 due to the prevalence of their
productivity suites. Vade also observed significant increases in phishing attacks across nearly every industry sector.
Virtual Swallows and Digital Ravens are seeking to enmesh targets using bogus romantic come-ons.
ESET reported this morning that Transparent Tribe, a group believed to operate from Pakistan,
is active in apparently targeting, for the most part,
Indian and Pakistani military and
government officials with romance scams. The victims are convinced to download compromised
versions of secure messaging apps to their Android phones. These apps will install the
CapraRat backdoor, which is designed to exfiltrate information. ESET believes the attackers began by
contacting their victims via an email address or phone number and then luring them into a romance
scam. After the victims have downloaded the Trojanized messaging app, the attackers continue
communications with them over the messaging app while stealing information in the background.
The malicious apps used poor operational security and the researchers were able to locate over 150
victims. Most of Transparent Tribe's efforts may have gone into India and Pakistan,
but infestations were also found in Egypt, Russia, and Oman.
Anonymous claims to have resumed hacktivist actions against Russia, saying last Thursday
that they were, quote, currently involved in operations against the Russian Federation,
end quote. The Daily Beast reports that the Russian government site Kremlin.ru
and five other government sites were down briefly on Monday.
Kremlin.ru is back up now.
The action appears to have been the now customary nuance-level hacktivist work of distributed denial of service and website defacements.
Meanwhile, TASS is authorized to disclose that a member of Russia's delegation to the United Nations
has denounced what she characterizes as the West's use of Ukraine
as a testing ground for cyber warfare.
Proofpoint this morning described an ongoing campaign
by a Russian-aligned threat actor, TA-499,
also known as Vovin or Lexus,
to engage Western political and business leaders in voice or video calls.
The calls are recorded, and they appear
designed to gather raw material that can be used to produce content that would tend to discredit
those who have publicly supported Ukraine. Proofpoint summarizes, quote,
The calls are almost always certainly a pro-Russia propaganda effort designed to create negative
political content about those who have spoken out against Russian President Vladimir Putin
and, in the last year, opposed Russia's invasion of Ukraine.
End quote.
Proofpoint goes on to add that if you rashly decide to take one of these calls,
quote,
TA-499 is not a threat to take lightly due to the damage such propaganda could have on the brand
and public perception of those targeted as well as the perpetuation of disinformation.
End quote.
Engagement begins with emails inviting the target to join a call. The emails commonly impersonate a
Ukrainian ambassador. Should the target agree to the call, TA-499 will use a video deepfake to
impersonate a trusted interlocutor. Once the target is induced to make a statement in the Ukrainian
interest, the threat actor engages in what Proofpoint calls antics,
designed to fluster the target
into doing or saying something embarrassing.
That embarrassment will then display elsewhere
in the interest of the Kremlin.
Coming up after the break,
Dave Bittner sits down with Ashley Leonard of Sixth Sense
to discuss their Advancing Zero Trust Priorities report and Joe Kerrigan on a warning from Microsoft about a surge in token theft.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. Ashley Leonard is CEO and co-founder of endpoint security firm Sixth Sense. They recently shared a report titled
Advancing Zero Trust Priorities. For details on what they found, I spoke with Ashley Leonard.
First of all, the fact that the amount of organizations that are currently evaluating
zero trust is pretty interesting. Our results showed that 62% of organizations are currently
evaluating or have implemented a zero trust solution. The amount that actually have implemented
it so far, though, is pretty small. It's only 4.8% of organizations that have actually currently
implemented some form of zero trust implementation. And why do you suppose that's lagging in that way?
I mean, as you say, this is certainly a hot topic these days. That's a smaller number than I would
have expected. Yeah, it surprised me because you do see it so prevalent in the industry news and
at trade shows. I think a lot of it is that there's a lot of complexity around zero trust and a lot of
problems actually understanding really what zero trust is. Many organizations think that you can
just buy a product and you install the zero trust product and that will allow you to then have zero
trust. And zero trust is really a lot more than that. It's more of a mindset.
Certainly products help, and obviously we're a product vendor or a software vendor,
so we can help you along that path. But it's a lot more than just buying a product to implement
a true zero trust methodology. What are your recommendations then? I mean, for folks who
have their eye on going down this path, any words of wisdom?
Yeah, you know, if you kind of look at traditional security, traditional security worked with
more of kind of, I like to call it the castle mentality, where you're going to have very
high walls and the moat and very limited gates that you can enter the building through.
And that kind of protected your organization in the old days. Now, nowadays, of course, those walls have come down. A great example is what
recently happened with COVID and employees at home. And now those laptops and devices that
were once at home are now walking in through the gates of the castle, get plugged into the
corporate network, and now you have a problem. So you kind of have to, first of all, I think, change the mentality of the way that you look
at cybersecurity in your organization from being kind of that castle mentality to being
a zero-trust mentality, which is that you kind of have to have the mindset that everything
is already breached and that what your job job is to limit the damage that could happen from
a device that is already potentially breaching the organization.
So you kind of start there with that mindset change. What you then do is go ahead and
need to perform an audit.
And you kind of want to order a lot of different things.
You want to think about the tools that you're currently using.
And that's an important point because many organizations today are not actually at step one when it comes to implementing zero trust.
They've often got tools that can already be used to help them along their zero trust route.
Think about the assets that you have.
Think about the data, the networks, how they're accessed, how they're secured.
So you kind of want to do this audit of your IT infrastructure and then determine your
risks.
And that's also a different approach, I think, when it comes to zero trust, where traditional
security, you typically look at an outside-in approach to security.
You're kind of looking at how an attacker might get into your organization.
With zero trust, you start on the inside looking outwards.
So you kind of have to change the way you look at your entire infrastructure. And then you implement the controls and requirements that will tighten the security to limit access, assuming that everything is untrusted until it's proved to be trusted.
Finally, you repeat because it's constantly changing.
That's the other key learning is that this is an iterative process.
And you need to just run through the process
and get to the end and start again.
Because new software is coming in,
new ways of accessing data,
new data itself,
new forms of storing data.
So it's a constantly iterative process
as you implement zero trust policies.
There's that old saying that you shouldn't let the perfect be the enemy of the good.
I'm curious, do you think that applies to people who are in the midst of their zero trust journey?
Yeah, and I don't think there is going to be a perfect.
And typically the smartest way to implement zero trust is to start with kind of the easy wins.
And then you get to the end and then start again and you move up to the next challenge.
So I wouldn't wait.
There's not going to be a perfect plan for implementing zero trust.
The best thing to do is to get going and just keep iterating.
What's your message to the folks who are putting off this transition
or kicking that can down the road,
maybe intimidated by the notion of the change itself or for other reasons?
What do you have to say to them?
Well, so that's an interesting one as well.
So as part of the survey, we actually asked that question.
So we asked the question, why, if you're not looking at implementing zero trust,
why? And the kind of top three answers that came back were lack of budget was number one.
41% of the respondents that are not implementing zero trust at the moment came back and said the
primary reason was lack of budget and funding for a zero trust implementation. So they wanted to do it, but they couldn't.
So I would say to that group, hey, this is not something you can put off.
Again, the old security approach of the castle walls doesn't work anymore.
Behind that was technical challenges.
And yes, there are challenges, but there's also an opportunity to learn new skills and improve your skills as an individual if you're implementing zero trust and help improve the business's overall security posture.
And I would say that your level of security compliance and posture actually is a business benefit for your organization.
posture actually is a business benefit for your organization. We're in the security business, and we have to prove compliance for many of the customers that we do business with. So
it's an advantage the more highly secure we are, and it ends up being a differentiator for us
versus some of our competitors. And then finally, I would say the third item that came back from our survey regarding why customers don't implement zero trust was just a lack of direction from the top.
So it's important, depending on the size of your organization, whether it's your CIO, CISO, or CEO, that you're aware of these types of initiatives like Zero Trust and you're making
it a priority for your organization. That's Ashley Leonard from Sixth Sense.
The report is titled Advancing Zero Trust Priorities. And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
So interesting story here from the folks over at eSecurity Planet. This is an article written by Jeff Goldman, and it's titled,
Microsoft warns of surge in token theft bypassing MFA. Can you unpack what's going on here, Joe?
Yeah. So, I'm not sure what's going on with the surge. I guess that Microsoft has a team
called Detection and Response Team.
They like to call it DART because they also have a cool acronyms department over at Microsoft.
But they are noticing that there is an increase in these token, what's called token theft.
They're describing two different kinds of token theft in here.
One is called the adversary in the middle and the other is called pass the cookie.
Okay.
So before we get into that,
we should understand what a token is.
Yeah.
When you log into a website or a service or something,
whatever it is,
it's easier to understand with the web.
So the web is stateless
in that it doesn't,
the state doesn't survive from one connection to the next.
So in that connection, your web browser will maintain something called, in that connection,
I say with quotes because it's actually mimicking a connection. Your web browser will maintain
in a set of cookies, and that's why we have cookies, something called a session token
a set of cookies, and that's why we have cookies, something called a session token that verifies to the server that you are logged in correctly and you are who you say they are. I see. You say you
are. So basically what that means is every time you go to request something, if you have one of
these tokens, you don't have to provide your username and password. So imagine life without
the tokens. And I want to submit this form and the thing says log in.
So I go and have to log in.
And then it says, okay, and then I want to click to the next page.
I have to log in again.
That would be miserable.
Right.
It would be unusable.
And not only that, but how would you even,
there's a whole bunch of different questions that arise.
So we just use these tokens as a representation of our session
that really doesn't exist between one request and the next one.
Okay.
And we kind of build like a human understanding of a session.
I'm logged in and then I'm logged out.
Okay.
And there's also other services where you log in.
Like let's say, for example, remote desktop protocol.
Yeah.
say, for example, remote desktop protocol.
Yeah.
Where I might, I don't know if that one has a token or not,
but I would imagine it does,
that there's some token in there that lets me authenticate over time.
Uh-huh.
So what's happening here is
they're talking about two different attacks.
One is a pretty simple attack to understand.
It's called pass the cookie.
Okay.
So it involves compromising a user's browser somehow.
You see this happening a lot with plugins or with HTML.
If it can break out, there's a vulnerability that nobody knows about,
or you're using an unpatched version of your web browser.
Somebody might be able to get access to the cookies that are stored for a site.
And if they can get access to them, then it's really simple
than just to export them to somebody else.
And then they can put that cookie into their web browser just by using some of the
development tools that are included with these web browsers to then represent that they are you.
And the server, if the server is not configured to look for things like, hey, this IP address
is changed significantly. This person is now looking like they're coming out of New York City
when just two minutes ago,
they looked like they were coming out of California.
Okay.
Right?
Now, that actually may be a valid use case,
but I think it's reasonable to,
when you see that,
to say, okay,
you're just going to have to authenticate again.
Right.
And log back in.
Yeah.
So those kind of attacks are out there.
The other one is called the attacker in the middle
or adversary in the middle attack, which is kind of like a man in the middle, but it's
basically what they do is they build malicious infrastructure that then lets you connect and
log in and shows you what you should be connecting to and logging into. But when they receive the
tokens, they make a copy of them.
And then they steal them and they can log in with whatever service it was.
This will bypass a lot of the multi-factor authentication protocols out there, like the
SMS code or any of the codes that you have to enter, because you'll be looking at the
actual webpage when this thing loads.
you'll be looking at the actual web page when this thing loads.
And when you have to enter a code that's either texted to you or generated by a program or a little piece of hardware that you have,
there's nothing in that process that says you're not on the right web page.
You're not looking at who you think you're looking at
or you're not using the correct service
or there's somebody in the middle that's being malicious.
One of the things that Microsoft recommends here is using a FIDO alliance authentication method, because that will protect against this. Because the FIDO device will
only respond using the connection information for the people asking or for the service asking for the authentication,
which will not be the legitimate service behind the attacker in the middle, the malicious infrastructure.
I see.
So when it goes to what it does, and my reading is old on this, and I haven't read this up.
I'm doing this all from memory. But what it does is it uses that server name, that URL or whatever it is, as a part of a private key along with a secret that it generates on the fly.
Okay.
And then it does a challenge response using that private key.
Well, if Microsoft is saying, hey, I'm Microsoft.
Take Microsoft and your secret and add it together and give me the challenge response for this number.
And then Bob's Evil Infrastructure says, hey, I'm Bob's Evil Infrastructure.
Give me the challenge response.
Your challenge response is not going to be correct for Microsoft.
It's going to be correct for Bob's Evil Infrastructure.
I see.
And Microsoft will go, no, you didn't authenticate.
So that's how – and that's a terrible way to explain how FIDO protects you against that.
But suffice it to say, a FIDO key like a YubiKey or a Google Titan will protect you against this kind of attack.
All right.
But it will not protect you against logging in and having somebody exfiltrate your keys from your web browser.
Yeah.
So if you log into Google, put your Google Titan in there, push the button,
and get the session key,
and somebody steals that,
if Google's not checking
for that kind of thing,
which they might be,
I don't know,
then they have stolen your session
and they can do whatever
they want as you.
All right.
Now, unfortunately, Google,
whenever you need to do
anything significant,
they do ask for your password again.
Yeah.
But these guys don't even need to know your password, username, password, or your multi-factor authentication stuff.
They just need to get the session.
All right.
Well, once again, this is over on eSecurityPlanet, an article by Jeff Goldman.
Microsoft warns of surge in token theft bypassing MFA.
Joe Kerrigan, thanks for joining us.
It's my pleasure. than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is me, with original music by Elliot Peltzman.
The show is written by John Petrick.
Our executive editor is Peter Kilpie.
And I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening, and we'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.