CyberWire Daily - A quick Patch Tuesday retrospective, and then a look at what the threat groups are up to.
Episode Date: November 15, 2023A look back at Patch Tuesday. BlackCat uses malicious Google ads. Social engineering in the third quarter of 2023. Are small businesses in denial about ransomware? Molerats have some new tools. Israel... turns to NSO Group's Pegasus to search for hostages taken by Hamas. Tim Starks from the Washington Post examines the potential aftermath of a Russian group hitting a Chinese bank. In our Learning Layer, Sam Meisenberg helps a student understand and create a strategy for the CISSP CAT. And a cyberespionage campaign is attributed to Russia's SVR. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/218 Selected reading. Adobe Releases Security Updates for Multiple Products | CISA (Cybersecurity and Infrastructure Security Agency CISA) Fortinet Releases Security Updates for FortiClient and FortiGate (Cybersecurity and Infrastructure Security Agency | CISA) VMware Releases Security Update for Cloud Director Appliance (Cybersecurity and Infrastructure Security Agency | CISA) CISA Releases Two Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency | CISA) Microsoft Releases October 2023 Security Updates (Cybersecurity and Infrastructure Security Agency | CISA) Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws (BleepingComputer) SAP Security Patch Day for November 2023 (Onapsis) The ALPHV/BlackCat Ransomware Gang is Using Google Ads to Conduct… (eSentire) Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage (Kroll) OpenText Cybersecurity 2023 Global Ransomware Survey: The risk perception gap (OpenText Blogs) TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities (Proofpoint) Israel's NSO unleashes controversial spyware in Gaza conflict (Axios) APT29 Attacks Embassies Using CVE-2023-38831 (NCSCC) Cyber-espionage operation on embassies linked to Russia’s Cozy Bear hackers (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A quick look back at Patch Tuesday.
Black Cat uses malicious Google ads.
Social engineering in the third quarter of 2023.
Are small businesses in denial about ransomware?
Mole rats have some new tools.
Israel turns to NSO Group's Pegasus to search for hostages taken by Hamas.
Tim Starks from the Washington Post examines the potential aftermath of a Russian group hitting a Chinese bank.
In our learning layer, Sam Meisenberg helps a student understand and create a strategy for the CISSP cat.
And a cyber espionage campaign is attributed to Russia's SVR.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, November 15th, 2023. We begin today with a quick look back at yesterday's November Patch Tuesday.
Microsoft addressed 58 vulnerabilities, including five zero days.
Three of the zero days have been exploited in the wild.
The two other zero days were publicly disclosed before patches were available,
but Microsoft says it hasn't so far seen any evidence of exploitation.
VMware addressed a critical authentication bypass vulnerability in VMware Cloud Director Appliance.
Fortinet issued patches for several flaws affecting FortiClient and FortiGate,
issued patches for several flaws affecting FortiClient and FortiGate, and SAP has received patches for six flaws, including an improper access control vulnerability with a CVSS score
of 9.6 caused by the SAP Business One installation process. Researchers at eSentire warned that an
AlfV Black Cat ransomware affiliate is using malware-laden Google ads to target entities in the Americas and Europe.
They say this affiliate is taking out Google ads promoting popular software such as Advanced IP Scanner, Slack, WinSCP, and Cisco AnyConnect to lure business professionals to attacker-controlled websites.
AnyConnect to lure business professionals to attacker-controlled websites. Thinking they're downloading legitimate software, the business professionals are actually downloading the
Nitrogen malware. Nitrogen is initial access malware that leverages Python libraries for
stealth. This foothold provides intruders with an initial entry into the target organization's
IT environment.
Kroll has published its threat landscape report for the third quarter of 2023, finding that social engineering dominated the field last quarter.
Kroll says, this was evidenced by our observations of the dramatic escalation of social engineering
tactics, with significant increases in phishing, smishing, valid accounts, voice
phishing, and other tactics, adding up to the highest volume of incidents we've seen in 2023.
Business email compromise attacks rose 13% in the third quarter compared to the previous quarter.
Quarles researchers write, the increasing volume of social engineering attacks is matched by a broadening range of approaches, whether that is via phone and SMS, as the group K2A243 Scattered Spider is known to abuse novel email phishing scams, or directly via Microsoft Teams using DarkGate malware. As part of the rise in social engineering, business email compromise continues to grow
steadily in popularity, with both established and newer threat actors using a range of tactics to
access data and in some cases ransom the information. A survey by Open Text Cybersecurity
has found that a majority of small to medium-sized businesses, 65% in fact,
don't believe they'll be targeted by ransomware attacks.
OpenText says,
Findings show a similarity in how small to medium-sized businesses and enterprises
think about ransomware attacks,
including a disconnect about who is a target
and growing concern about the use of artificial intelligence by threat actors.
While the majority of organizations don't believe they will be attacked,
they do understand the business risks as evidenced by increased security spending and plans to expand security teams.
In spite of the security spending and their disinclination to believe that they'll be targeted by threat actors,
security spending and their disinclination to believe that they'll be targeted by threat actors,
46% of SMBs and enterprises said they were hit by a ransomware attack in the past year.
Proofpoint researchers yesterday described some new activity by TA-402, the Palestinian-aligned threat actor, better known as the Mole Rats, and sometimes called the Gaza Cyber Gang, Frankenstein, or Wirti.
Between July and October, TA-402 has used a new downloader, Ironwind,
which they've used to install shellcode in victim systems.
The group has also shifted away from using malicious Dropbox links
and toward deploying XLL and RAR file attachments, presumably the better
to evade detection. TA-402's targeting has continued to follow its historical pattern
of prospecting Arabic-speaking governmental organizations in the Middle East and North
Africa. It hasn't, so far, shown a shift toward direct support of the war between Hamas and Israel.
a shift toward direct support of the war between Hamas and Israel.
Axios reports that Israeli authorities are said to be using NSO's Pegasus zero-click intercept tool to track cell phones belonging to hostages, murdered civilians, and Hamas terrorists
in their effort to locate surviving hostages.
NSO Group is said to be approaching U.S. officials to ask for a relaxation of strictures against its tools,
which it argues have become vital to collection against terrorist organizations.
There are, so far, few signs that the U.S. is moving towards such relaxation,
imposed after many reports that Pegasus was widely abused by repressive governments.
But there do appear to have been some approaches by European governments
advocating for NSO Group's restoration to American good graces.
Ukraine's National Cybersecurity Coordination Center, the NCSCC,
has published its analysis of a widespread cyber espionage campaign
that this past September hit diplomatic
targets in Azerbaijan, Greece, Romania, and Italy. The foreign ministries of Azerbaijan and Italy
were particularly hard hit. The campaign was widely regarded at the time as a Russian intelligence
operation, and the NCSCC attributes it directly to APT29,, Cozy Bear, a unit of Russia's SVR, Foreign Intelligence Service.
The fish bait was familiar. A BMW, one owner, nicely loaded, for sale by owner, and so on, was offered for sale.
The NCSCC gives the enemy service due props for intelligent social engineering, stating,
APT-29 ingeniously employed benign-looking lures in the form of enticing BMW car sale photos and
documents expertly crafted to draw in unsuspecting victims. And while the bait may have been old,
the fishhook was new. The lure documents contained hidden malicious content
that exploited the WinRAR vulnerability, granting attackers access to the compromised systems.
The SVR also made creative use of the legitimate NGROC tool, which is used to provide temporary
public URLs during web development and testing. In this case, it enabled them to communicate with infected targets
in ways that can be difficult to detect.
In this case, the intelligence goal seems only tangentially related
to Russia's invasion of Ukraine,
except insofar as trouble in the near abroad
inevitably has repercussions for that war.
The SVR appears to have been interested in Azerbaijan's intentions
with respect to Nagorno-Karabakh, the province Azerbaijan has disputed with Armenia and which
Azerbaijan seized on September 19th and 20th of this year. Kozy Bear, Fancy Bear's less ostentatious
cousin, has been implicated in several other high-profile incidents.
These include both Russian intrusion into U.S. targets related to the 2016 U.S. elections
and the 2020 supply chain attack against SolarWinds users.
Coming up after the break, Tim Starks from the Washington Post examines the potential aftermath of a Russian group hitting a Chinese bank.
In our learning layer, Sam Meisenberg helps a student understand and create a strategy for the CISSP cat.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
In the latest edition of our Learning Layer segment,
N2K's Sam Meisenberg works with student Ethan Cook to understand and create a strategy for the CISSP CAT.
Welcome to the Learning Layer.
This is your host, Sam Eisenberg.
And in this segment, you're going to be dropped into a continuation of a tutoring session.
And we have a student, Ethan, here who's studying, and he's a couple weeks away from a CSSP exam.
So enjoy.
And even if you're not studying for the CSSP, I still think you're going to get something out of it.
So here we go.
So how are you feeling?
You're like a couple weeks away.
I'm feeling good.
The content is definitely starting to stick in more.
Feeling well, doing a lot of the practice tests
and practice questions, answering a lot of them right.
How have your scores been on the practice tests?
I would say passing for most of them.
Passing what?
What do you mean by passing?
Scoring.
How many percent?
About like 78%, 80%.
Still have room to improve, but definitely passing.
I think that's a pretty high score.
I say, look, if you're in the high 70s, low 80s, that's where you want to be.
Because remember, a 70, 80% in your practice questions is not going to translate to like 80% on exam day
because you're taking the CAT, right? Which is like a whole different experience.
Yeah. I actually wanted to talk about that a little bit because I've studied for certification
exams in the past. I got my SAC plus and did well on those, but those are more traditional. And I've
since starting this heard a lot about the CAT and how it's a very different experience and it's very
intimidating. And I kind of have some anxiety about that. I was wondering if you could walk me through that
a little bit. Okay. So you're in the right place because I think what I want to assure you of is
there's nothing to be afraid of. It's literally the same experience. It's just a multiple choice
exam. It's just the format's a little bit different. So I can walk you through that and
kind of tell you what to expect. So do you know what the, here's a, here's a, I know you're tired of
answering questions, but here's another question. Do you know what the A stands for in CAT?
Adaptive. Adaptive. Exactly. So all that means is the test is adapting to you as a test taker.
So when you answer a question, right? Say you say you're on question number one, if you get that
question correct, the next question it feeds you is going to be slightly harder. And then say you
get that question right, the question after that, again, slightly harder. And then question number
four, you get it wrong, the next question is slightly easier. All that means is it's taking
your input from the previous question and your answer and
then feeding you kind of the next question to get to your like knowledge and skill level. So that's
what we mean by adaptive. It's responding to you as the test taker. If you open the hood of a cat,
what's happening is it's trying to get you to a level where you get every other question wrong.
So what that means is on exam day, passing could mean
getting like 55% of the questions correct. So when you are doing your practice questions now,
life is good because you're getting 80% correct. On exam day, it's going to be a weird feeling
because you could be doing well and being sort of on the route to passing, but getting like 55%
of them right. So it's going to be a weird experience. You're going to feel like
you're getting punched in the face every other question,
but that's normal. So just
walk in expecting that.
Yeah, and I saw that there's a range of
questions, whereas with SecPlus,
it was a set number of questions.
I forget off the top of my head how many it was,
but... Well, sort of. SecPlus is up to 90.
Up to 90, okay. So you could see anywhere from
like 85 to 90, But yes, point taken.
But with this one, I think it was 125 to 175.
It's a pretty wide margin there.
Right, exactly.
And the interesting thing about that is,
so the minimum, let's clarify those numbers.
The minimum that you're going to see is 125.
So you are definitely going to see 125 questions,
at least no matter who you are on exam day.
After 125, the test could end at any point. So what that means is, again, testing at question
125, whether you're above or below this thing called the passing threshold. And if you are above
at 125, you pass. If you are below at 125, you fail. If you're straddling that passing threshold at 125,
it keeps feeding you questions until you're clearly above or below. Now that sort of feeding,
those extra overtime questions can go all the way up to 175. So here's the important thing
from a time management perspective. You need to anticipate seeing 175 questions.
You need to walk in there planning to see 175.
Because imagine if you run out of time at question 150,
well, then you're going to fail, right?
Because then you basically,
the machine doesn't have enough sort of data on you.
And it looks back at your last 50 questions
and sees whether you're above or below the passing threshold.
If you're below at any point, then you fail.
That's a long way of saying,
I don't think the technical pieces matter,
you're not going to pass if you run out of time.
But it also, kind of on the same line of thought,
if I'm at question 170, I'm still in the test.
I'm still, because it would have failed me
if I was too low already.
So I should still treat those last questions with the same level of seriousness as question 126.
So you actually need to be more focused and more serious questions 126 to 175. What I mean by that
is that think of it as like overtime in some senses because every question matters. Because
there are 50 experimental questions on the CSSP. 50, that's a lot. Yeah. But they are all built
into the first 125. Okay. So what that means is questions 126 to the end, there are no experimental
questions. Everything matters. Everything is going to affect your score and
going above or below the passing threshold. So you need to be like uber focused. And then I know
we've talked earlier about the time management piece. That's why you want to spend more time
on those questions from 126 to 175, because those are the things that will make or break your score.
Awesome. Thank you. That explanation really helps clarify the differences
between a CAT and a traditional exam.
So I know that it helped clarify, but how are you feeling?
Are you feeling any less anxious?
Definitely less anxious.
I think it's always better to know what you're dealing with
than kind of sitting there in ignorance.
But I definitely would say the exam is still intimidating,
but I think that nothing's going to change that.
I think I just kind of have to go and get it done with.
That's right.
And look, ultimately too,
I think you kind of hit the right balance.
You don't want to be thinking about
like how the cat operates on exam day.
You don't want to be like,
oh my gosh, this is an easy question.
Does that mean I got a question wrong?
Like you're just going to psych yourself out
and not focus on the content.
And ultimately it's an exam
of whether you know your stuff or not.
Time management is important. Test day strategy is important. Absolutely. But ultimately,
the content, whether you know your stuff, that's the thing that's going to, you know,
take you to the promised land. Yeah, content is king. Content is king.
Go off, King.
Now, one logistical note.
This segment, we discussed the current four-hour version of the exam,
which is 125 to 175 questions. But in April of 2024, the exam will be updated.
It'll be a three-hour test that has 100 to 125 questions.
Thank you for tuning into this segment of The Learning Layer.
I hope you got something
out of it. And if you yourself are studying for a certification exam and you have any questions
about the content or test day strategy, please feel free to let me know by emailing learninglayer
at n2k.com. This is Sam Meisenberg, and we'll see you next time on Learning Layer. Happy studying.
That's N2K's Sam Meisenberg speaking with student Ethan Cook. And it is always my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, welcome back.
Hey there.
I'm enjoying your recent reporting here on Ransomware Gang, and perhaps they went a little bit too far by going after some folks in China. Can you lay out your reporting here for us?
Yeah. So the Ransomware Gang lock bit, they managed to get a hold of a U.S. division of
the biggest bank in China, and actually the biggest lender by assets in the entire world.
It's called the Industrial and Commercial Bank of China, the Financial Services Division, ICBC.
We'll just call it for the rest of this talk.
So kind of a rare target to hit that's this big.
Also a rare target to hit that's a Chinese state-owned organization.
Obviously, the U.S. Army is a little different, but it's rare to see a Russian gang, as Lockpitt
is suspected of being, go after a Chinese state-owned target. It's happened one other
time this year with a newspaper that China's state owns. But that's a big difference between
something that has billions of dollars worth of assets and that might actually impact people in China who are high up in the Communist Party.
The sort of trigger for this was that Chris Krebs, the former assistant director, had said on Twitter, I think Lockwood's going to be going through some things.
It's a funny way of saying that they're in trouble, right?
Yeah, nice understatement there.
Yeah. And he was pointing to the way the US started focusing in on, I believe it was DarkSide
that did the colonial pipeline hack. That really energized the United States because suddenly
a part of our economy was being affected in a way that was very much obvious to the
pocketbook of the average person.
Even though the fuel panic that was caused by that was a little bit people's own fault,
it still was an indirect result of that pipeline hack.
So I talked to a good number of people who were saying, yeah, this is going to be bad
for them.
Not sure what they were thinking.
Yeah.
I mean, is it possible that this was an affiliate
or that they weren't aware of who they were hitting?
What do you think?
Exactly right.
That is one of the possibilities
Alan Liska from Recorded Future brought up to me.
Also echoed in another of the comments that's in the story,
it seems as though Lockbit does not have much quality control on who they decide
to tag team with. They seem to be just
sort of like, whoever wants to pay for our malware
can have it, and now you're an affiliate.
And then, you know,
once it's out there,
the Lockbit name is on it,
they can't necessarily say,
not our fault, it's an affiliate. Well, you're still directly connected
to who did it. So
that is one theory about what happened. Affiliates are going to be maybe more indiscriminate about who
they go after. First off, ransomware is often an indiscriminate thing anyway. But there is a sort
of catch and release thing that can happen, right? Like, oh, we caught a big fish. We do not want
this shark on our board. Right, right. Here is your key to unlock everything
that we inadvertently locked.
Exactly.
Please carry on.
That's the release part.
Here you go, shark.
Go on back into the ocean.
But I think in this case,
whoever did this decided to pursue it.
And if their gang is to be believed,
and of course we can't always trust
what the ransomware gangs claim.
They are, after all, criminals who live for a living.
They say ICBC paid.
So if they did pay, it was probably a pretty decent fee.
I mean, this caused some trouble for the Treasury's markets, and to see some Reuters reporting on it,
it almost caused some real problems for the bank overall because of the assets they have and who
they work with. So there was really a serious incentive for them to pay if they did in fact pay.
Any speculation on how this may play out from here? I mean, do we expect LockBit to get a
slap on the wrist or might they be looking at a shutdown? Yeah, I think if you look back to
what happened with Colonial Pipeline and the U.S US went after them, got some of the assets back, got some of the stolen money back, that is, I guess, the ransom payment back.
It wasn't long after that, that DarkSide kind of folded and rebranded or dispersed.
That's certainly a possibility.
China might decide to extract some pain.
I believe one of the quotes from one of the flyers I talked to was,
extract some pain from Lockpit directly.
Or it could be a situation where Russia says,
hey, we've been kind of protecting you.
Now you're on your own.
Or they might help China go after these guys.
If you'll recall, there was a brief moment before the Ukraine war where the U.S. and Russia were working together to go after a ransomware gang.
It was Revol, or Revol, depending on who you talk to, where they actually helped go after some members and arrested them if the PR videos and the actual appearance in courts were to be believed. Now, how sincere that effort was by Russia, there was a lot of speculation at the time
that this was a weird kind of diplomacy
to say, hey, we'll help you on these ransomware gangs
if you leave us alone when we go after Ukraine.
And not a lot has necessarily come of that since.
There have been some drop charges.
There's been some circulation of maybe some of these people
are still going through the court systems.
It's a little opaque over there in Russia.
So it's possible that Russia just does something like that to signal to China that, hey, we're not going to
let them do this to you. And then that could also send a signal to other people that, no,
no, you're not allowed to go after China. Maybe they're not an ally, but they're close enough
that we would prefer that you don't go after them. Right. I would love to be a fly on the wall with
some of the diplomatic communiques between
the Chinese folks and the Russians
saying, what's going on
here, friend?
If you get a hold of it, please, if you
get a hold of those cables,
please put them on air.
We'll do.
Just make a whole session
out of your podcast that day.
Here's everything they said.
Right. Lots of screaming and gnashing of teeth.
All right, well, Tim Starks is the author of the Cybersecurity 202 at the Washington Post.
Tim, thanks so much for joining us.
Hey, thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply.
Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity. Thank you. critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.