CyberWire Daily - Action in the cybercriminal underworld. Russia’s FSB and SVR are both active, and so are their hacktivist auxiliaries. NSA offers advice on configuring next-generation firewalls.
Episode Date: August 3, 2023Open Bullet malware is seen in the wild. Threat actors exploit a Salesforce vulnerability for phishing. BlueCharlie (that’s Russia’s FSB) shakes up its infrastructure. Midnight Blizzard (and that�...��s Russia’s SVR) uses targeted social engineering. How NoName057(16) moved on to Spanish targets. Robert M. Lee from Dragos shares his reaction to the White House’s national cybersecurity strategy. Our guest Raj Ananthanpillai of Trua warns against oversharing with ChatGPT. And NSA releases guidance on hardening Cisco next-generation firewalls. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/147 Selected reading. No Honour Amongst Thieves: A New OpenBullet Malware Campaign (Kasada) “PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing… (Medium) Hackers exploited Salesforce zero-day in Facebook phishing attack (BleepingComputer) Hackers exploit Salesforce email zero-day for Facebook phishing campaign (Computing) Russia-based hackers building new attack infrastructure to stay ahead of public reporting (Record) Midnight Blizzard conducts targeted social engineering over Microsoft Teams (Microsoft Security) Unraveling Russian Multi-Sector DDoS Attacks Across Spain (Radware) Pro-Russian Hackers Claim Cyberattacks on Italian Banks (MarketWatch) NSA Releases Guide to Harden Cisco Next Generation Firewalls (National Security Agency/Central Security Service) Cisco Firepower Hardening Guide (US National Security Agency) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Open bullet malware is seen in the wild.
Threat actors exploit a Salesforce vulnerability for phishing.
Blue Charlie, that's Russia's FSB, shakes up its infrastructure.
Midnight Blizzard, that's Russia's SVR, uses targeted social engineering.
How no-name 05716 moved on to Spanish targets.
Robert M. Lee from Dragos shares his reaction to the White House's national cybersecurity strategy. Our guest, Raj Anathan Pillai of Trua, warns against oversharing with
ChatGPT. And NSA releases guidance on hardening Cisco next-generation firewalls.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, August 3rd, 2023. Thank you. of the tool containing malware designed to steal cryptocurrency. It's a novel infection vector, Quesada says,
but it's well adapted to stealing from gangs who use cryptocurrency for their transactions.
Guardio discovered a zero-day vulnerability affecting Salesforce's email services and SMTP servers.
Attackers exploited the vulnerability to launch phishing campaigns targeting Facebook accounts.
Guardio states,
Our research team has uncovered an actively exploited vulnerability enabling threat actors
to craft targeted phishing emails under the Salesforce domain and infrastructure.
Those phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook's Web Games platform.
Salesforce issued a patch for the flaw on July 28.
The company said in a statement,
We value the contributions of the security research community to help enhance our security efforts, and we are grateful to Guardio Labs for their responsible disclosure of this issue.
Our team has resolved the issue,
and at this time there is no evidence
of impact to customer data.
We continually encourage researchers
to share their findings with our team
at security at salesforce.com.
Industry research has been exposing
Russian cyber operations,
and the increased light this has shed on their activities has led Russia's FSB to add a number of domains to its attack infrastructure,
the better to escape unwanted scrutiny.
Recorded future reports that the FSB activity it tracks as Blue Charlie,
which Microsoft calls Star Blizzard, formerly Cyborgium,
has registered 94 new domains for its infrastructure. That infrastructure supports
credential harvesting, intelligence collection, and hack-and-leak operations. The FSB's targets
are Ukraine and members of the NATO alliance. The hack-and-leak operations follow an FSB tradition
of going beyond simple collection and analysis to conduct activities online that create and
develop narratives that support Russian disinformation. Microsoft reported late yesterday
that Russian threat group Midnight Blizzard, which Redmond formerly tracked as Nobelium,
and which U.S. and British intelligence services identify as an operation of Russia's SVR,
is currently engaged in highly targeted social engineering attacks against a range of Western targets.
The goal of the operation, as is almost invariably the case with SVR work, is espionage.
is almost invariably the case with SVR work, is espionage.
The present campaign is credential phishing,
and it uses security-themed subdomains as fish bait.
The attack is staged from previously compromised Microsoft 365 tenants owned by small businesses,
and it's designed to capture authentication tokens
that can be used in further attacks.
The attack typically proceeds in three stages.
The first step is a request to chat in Microsoft Teams. That request often impersonates a technical
support or security team member. The next step requests action on the target's authentication
app, direction to enter a code into their Microsoft Authenticator app. The third step is successful multi-factor authentication.
Microsoft explains,
If the targeted user accepts the message request
and enters the code into the Microsoft Authenticator app,
the threat actor is granted a token to authenticate as the targeted user.
The actor gains access to the user's Microsoft 365 account,
having completed the authentication flow. From this point, Midnight Blizzard enters its post-compromise phase,
which involves information theft and, in some instances, the addition of a managed device to
the organization's network. The SVR is casting a wide net. Its targets are found in the government, non-governmental organizations,
IT services, technology, discrete manufacturing, and media sectors.
Radware reports that the Russian hacktivist auxiliary,
much of whose activity has been directed against Ukraine
and its Eastern European sympathizers like Poland and Lithuania,
claims to have conducted DDoS attacks against Spain.
The attacks began on July 19th and continued through the 30th.
Radware reports that the attacks were timed to coincide with Spain's elections
and that their targets included two organizations involved with administering the elections.
Most of the effects, however, were felt by the travel
and financial services sectors, with telecommunications and news organizations also affected.
Radware puts the total number of victims at around 50. At the outset of the campaign,
no-name 05716 published communiques in its Telegram channel, criticizing Spain for waging a proxy war against
Russia and promising to make Spain feel the cost of its support for Ukraine. No Name runs what
Radware characterizes as a crowdsourced botnet, Project DDoSia, to whose members it provides
client software that contributes to the attack traffic. Radware
explains, this is very aligned with IoT DDoS botnets. The difference? Instead of being installed
on compromised IoT devices, it is installed on home PCs, mobile phones, and cloud servers by
volunteers. NoName also offers payments to members who make the most attacks. One of the unusual features of a NoName campaign is its reconnaissance.
The group's admins investigate the target website and identify the most resource-intensive parts of the site,
thereby enabling their volunteers to more effectively choke the site with traffic.
The Russian hacktivist auxiliary yesterday also claimed to have
interrupted an Italian bank's website. Market Watch reports that NoName05716 said it conducted
successful DDoS attacks against sites belonging to seven banks. Italy's National Cyber Security
Agency said the banks reacted well and reported neither material damage nor compromise of customer
data. And finally, the NSA has issued guidance on how to harden Cisco next-generation firewalls.
NGFWs offer substantial security capabilities, but they require proper implementation. NSA says
Cisco FTD systems are NGFWs that combine application and network layer security features.
In addition to traditional features, these NGFWs provide application visibility and controls,
URL filtering, user identity and authentication, malware protection, and intrusion prevention. The agency's Cisco Firepower Hardening Guide
offers detailed advice on how to configure the NGFWs to defend networks against sophisticated
and persistent threats. If you use Cisco's FTD, be sure to take a look at NSA's advice.
coming up after the break robert m lee from dragos shares his reaction to the white house's national cyber security strategy our guest is raj anathan pili of trua who warns against
oversharing with chatT. Stay with us. Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
cloak.io.
Generative AI platforms like ChatGPT have proven themselves useful for a broad variety of tasks. But of course, there are concerns about users oversharing sensitive proprietary or personal
information with them. Raj Anathan Pillai is
founder and CEO of identity and risk screening platform provider Trua. I spoke with him about
his concerns with generative AI. Unfortunately, people are putting all kinds of personal
information, their family information, and so on and so forth. Remember, this is a one-way street.
family information, and so on and so forth.
Remember, this is a one-way street.
You can never go back to these generative tools and say,
take out my name, hey, read my this or that.
If you look at the terms of service, it's multi-page, fine print.
You need a magnifying glass to even read it and understand it.
That's how they are getting away with it. And it is very, very dangerous to put personal information because they take all your input to fine-tune their algorithms over time.
That's exactly what happens.
So you point out in some of your research that there are things that I think people will put into this that they don't consider being personal information.
For example, someone might upload a resume and say,
help me reformat this resume.
But there's all kinds of information on a resume.
Absolutely, because remember, everything is scannable, right?
So they scan.
I don't know how they upload it.
They scan it, and then your name, the employer.
So those are all what I call identifying information at some point, right?
Somebody is going to use, just like KBAs, Non-Established Authentication, Wimber, way back when, or even some of the institutions used that.
Hey, what kind of car did you drive in 1992?
What color was your car?
Or where did you live during this year, right?
92? What color was your car? Or where did you live during this year, right? Those are all historical information that are always being used for authentication purposes. And now imagine
your employment history as part of your resume becoming part of that. That could be another
dangerous avenue for somebody to hack and start using you and your profile for fraudulent purposes.
So can we imagine that someone could go into, for example, a chat GPT interface and say,
tell me everything you know about Raj's work history?
Yes, you could if it already has that, right?
I've already put in there.
Even otherwise, they're going to scrape it anyway.
They go find different things already that's in the public domain, right?
They're going to find something.
Even today, you and I can Google, for example, about anybody, any place, right?
Whether it's true or not, that's a different story.
But they have enough information to go out and start interacting with you as if they are genuine, right?
And that's all it takes for somebody to easily succumb to some of those fraudsters.
Think about spoofing.
Think about phishing, right?
They're being used as if it's coming from you.
It's the same concept at a level that's probably 100 times more than what you're experiencing today.
You know, I think it's safe to say that there is true utility with some of these tools.
I think it's safe to say that there is true utility with some of these tools. But as you point out, I mean, it's so alluring to put information in there because the answers you get back, I mean, you hear people talking as if these things are almost therapists.
That is true. this chat GPT, what happened was somehow this became a, what I call a mainstream slash consumer
excitement. Usually these are technologies that are used by big corporations to automate stuff,
to do big things, right? Somehow it's got into the mainstream consumer, you know, and everybody's
just toying with it, in my opinion. That is the big thing. If you think about some of the major technologies,
right, it took a long time before consumers
started using it, right? But they were not necessarily
geared towards consumers. Are there ways that people
can use this sort of technology in a safer way?
Is it possible to run something like this on a local instance?
Yeah, as long as the provider of the tool
assures you that your personal information
is going to be erased right after that.
Because you don't want to leave any personal information
behind the scenes, right?
Because they need that information to generate
whatever you're trying to tell the tool to generate.
So otherwise, it's going to be a garden variety vanilla response.
So you're looking for specific input from this particular tool.
So the key is to always minimize the number of personal information.
Again, what you're looking for in these tools is not necessarily anything absolutely personal.
They don't have anything about you personal.
It's going to take a while before you start gathering
some of the personal information.
But they're going to say, hey, how do I reduce my anxiety,
for example, right?
And my name is this.
I work in this industry, right?
Bingo, you put your name, you put your industry category.
So they're going to keep that for their future analysis purpose.
But if you say, I am, you know, Joe or Jane Smith,
and I work in a fictitious industry, right?
You don't care about it.
You're looking for output from it.
So that is how I would approach for a while until that settles.
What about business information?
You know, I've heard of folks taking things like annual reports
and uploading them to have them reformatted or reworded.
Big time no-no because it has some proprietary information,
confidential information that is the big no-no in my opinion
because you are literally letting somebody else hack into it.
It strikes me that if you cut off access to chat GPT altogether, that might not be the most practical path.
But at the same time, you want people to be aware of the risks.
Yes, you can, you know, filter and control some of those kinds.
For example, there are a lot of tools out there, right?
And, of course, you need to develop them.
Like if you're trying to go to a porn site in a corporate environment,
they block those things.
You cannot do that, right?
Many forward-looking organizations.
Or if you're trying to go to a gambling site,
you cannot go there from the computer.
So, similarly, we have provisions where
if you have social security number or any personal information as you're importing, it'll drop that
email right off the bat. So similar concepts have to be derived and developed for interacting with
CHAP GPT-BR. There's a company information or a company of proprietary technology or whatever it
is, you can potentially filter those things out.
That's Raj Anathan Pillai from Trua.
And joining me once again is Robert M. Lee.
He is the CEO at Dragos.
Rob, it is always great to welcome you back to the show.
The White House has been busy releasing a number of policy statements and strategies and so forth.
I want to touch base with you today on the national cybersecurity strategy that they recently put out.
What's your reaction to this?
First of all, I'm always excited that the White House and various policymakers are putting
cybersecurity in the forefront and talking about it in a very positive way and having a lot of
good conversations. We've even seen, I'm mad at this administration, this group of policymakers,
a differentiation between operations technology and IT.
There's just really good nuance and similar.
When it comes to the strategy, I think it's a lot of the things that we've all been talking about, which is good.
They're capturing those.
But as with most things, it's really going to be left up to
the details of how this gets implemented.
From my understanding of previous versions of the strategy, it sounds like the final draft
was pretty neutered in comparison
to what it started out as.
And so I think, on one hand, great job
having a strategy, putting it out there,
capturing feedback from the community,
and again, just making sure that cybersecurity
is a top discussion.
Cons of it is, I think that the government,
the U.S. government particularly,
has had some identity crisis of sorts on who does what,
what are the actual roles and responsibilities of the different agencies,
and what can you do, what can you influence,
what choices can you make.
And I think when I talk to a lot of the folks working on these documents and working on these strategies,
and they are some really fine Americans,
and they're working really hard,
one of the frustrations I constantly hear is
for them to have an opinion get shot down.
It's not like don't violate laws or don't violate issues,
which makes total sense.
It's don't even get close to having a perception
of perception issues.
And so I think a lot of good people,
but working inside of a pretty restrictive environment
where a lot of people don't want to have an opinion.
I think one of the things that people noted in this release
was that it is very overt in saying who's responsible for what.
Is that a good sign that things might be headed in the right direction?
It's a good sign, but this was the time to actually clarify with the so what.
This was the time to actually say what are our expectations.
I wrote an op-ed and cyber scoop about this, basically just stating
the government has a very important role and responsibility to play,
but so does the private sector.
And it's really important for government to define the why.
Why are we doing this? We're making some change.
It's going to have some cost. Why are we doing this?
To then define the what.
What outcome are you trying to achieve?
And leave the how to the asset owners and operators in the private sector and similar.
Don't try to tell a pipeline operator how to run a pipeline.
Leave that to the pipeline operator.
But set the why and the what so we all know and we're all moving in the same direction. And I think they've been really good on the why
and I think the document represents that of being overt and similar.
I'm not so sure that I see the what as much in terms of what exact outcome are you wanting.
Let's have secure by design. What does that mean to you?
Or we should have more responsibility on the suppliers.
I completely agree, but what outcome would you like to see?
And so I think that without being crisp
on what outcomes we're chasing towards,
which really is just setting requirements,
nobody's really going to be able to come up with a how
because we're not exactly sure what we're chasing.
What do you expect in terms of next steps from the government here?
They'll have to, I mean, for this to be useful, which it can be. I'm not saying this is like
some bad document. I think a lot of times also when I talk to policymakers and similar,
like any critique is like, oh my God, you're bashing this. No, I'm not. I think there's
a lot of amazing work here and there's a lot of good people working on it. But these are
very serious topics. This is national security and yeah, it matters.
So what is the problem here?
I don't see the connecting down to the next step
and it's vague enough that there's a lot of details
that can just be run in circles like we've seen
for the last 15 years on this topic.
So to make this useful, there will need to be
the underlining policies or strategies
that come out below this that define that why and the what. And talk about the mechanism for the how. Are we
talking rate recovery for an electric utility to go do something? Are we talking regulatory pressure?
Are we talking incentives? Like, what is it that we have as tools to go achieve these things you
want? I mean, suppliers. There are plenty of regulations
on the asset owners and operators. I testified in my Senate hearing, there's not a lot on suppliers.
I run a software company that develops software for critical national infrastructure,
and we get deployed in everything from oil and gas and pipelines and electric utilities to nuclear
power plants. We're pretty critical. And it is shocking to me sometimes how little I have in terms of oversight
on my business or the choices I make.
And I'm not screaming for more regulation, trust me.
I'm not like, yay regulation, but it's imbalanced.
There is not a lot of harmonizing,
although they call that out and that's good.
There's not a lot of harmonizing on the regulations
that are on our asset owners and operators.
The imbalance is obvious when you look at the requirements that are then on the regulations that are on our asset owners and operators, the imbalance is obvious when you look at the requirements
that are then on the suppliers.
So they need to clarify that.
They've said, let's harmonize national regulations.
Boy, that one alone is amazing.
But what's the expectations?
Are we going to get FERC and EPA and TSA
and everybody working together because somebody above them
has the authority and is going to force that conversation?
Or are we just going to say, y'all should harmonize and then walk away and hopefully
they someday get it, even though we've been saying that for at least 15 years.
When you look at this document, your particular neck of the woods
of critical infrastructure, OT technology and security,
do you think the amount of recognition that area got
in this document
is balanced relative to the need?
Yeah, I'm always going to advocate for more OT focus,
but there is critical infrastructure focus
in this document.
So I don't feel okay to critique any,
like what percentage.
It was, it got called out,
it got specifically mentioned and talked about,
and maybe this is just just trauma of the past,
but for how long that's been ignored,
the critical part of critical infrastructure has been ignored for so long,
even to get a mention, we're like, yay!
They're listening!
I'm just looking for some acknowledgement that operations people and folks that are actually keeping lights on, water running,
manufacturing goods, they deserve a mention.
Fair enough. Robert M. Lee is CEO at Dragos. Rob, thanks so much for joining us. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%!
That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply.
Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. Thank you. as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.