CyberWire Daily - AiTM sets up BEC. Silent validation bots. Smishing attempt at the European Central Bank. Shields up in Berlin. Hacktivism in a hybrid war. Patch notes.
Episode Date: July 13, 2022Adversary-in-the-middle sites support business email compromise. Silent validation carding bot discovered. Attempted social engineering at the European Central Bank. Germany puts its shields up. Carol...e Theriault speaks with Jen Caltrider about Mozilla's *Privacy Not Included initiative. Our guest is Lucia Milica on Proofpoint’s Voice of the CISO report. And Hacktivism in a hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/133 Selected reading. From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud (Microsoft Security Blog) PerimeterX Discovers New Silent Validation Carding Bot (PerimeterX) Hackers posing as Merkel target ECB's Lagarde - German source (Reuters) European Central Bank head targeted in hacking attempt (AP NEWS) Cyberangriff auf Spitzenpolitiker: Hacker nutzten Merkels Handynummer, um das Whatsapp-Konto von Lagarde zu knacken (Business Insider) Germany bolsters defenses against Russian cyber threats (Deutsche Welle) Ukraine's cyber army hits Russian cinemas (CyberNews) DDoS attacks surge in popularity in Ukraine — but are they more than a cheap thrill? (The Record by Recorded Future) Microsoft Releases July 2022 Security Updates (CISA) CISA orders agencies to patch new Windows zero-day used in attacks (BleepingComputer) SAP Releases July 2022 Security Updates (CISA) Schneider Electric Easergy P5 and P3 (CISA) Dahua ASI7213X-T1 (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That validation carding bots are discovered.
Attempted social engineering at the European Central Bank.
Germany puts its shields up.
Carol Terrio speaks with Jen Kaltreiter about Mozilla's Privacy Not Included initiative.
Our guest is Lucia Milka on Proofpoint's Voice of the CISO report.
And hacktivism in a hybrid war.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your-the-middle techniques, AITM, to stage more effective business email compromise attacks.
AITM, to stage more effective business email compromise attacks.
Phishing messages directed victims to AITM sites that would steal passwords and hijack sign-in sessions,
skipping authentication even where multi-factor authentication had been enabled.
The attackers used stolen credentials and session cookies to access victims' mailboxes for more effective and plausible BEC attacks against the victims' colleagues.
Microsoft says that more than 10,000 organizations have been affected since last September.
Redmond recommends continuous monitoring, advanced anti-phishing solutions,
and conditional access policies to mitigate AITM risk.
And of course, let your people know that you won't be
emailing them wire transfer instructions to random accounts. We note in disclosure, by the way,
that Microsoft is a partner of the CyberWire. PerimeterX reports that its researchers have
found a new silent validation carding bot. The bot takes stolen pay card data and attempts to store it in e-tailers'
wallet pages, where, if validated and accepted, it would become a stored payment method that
could be used in future fraudulent transactions. This technique enables criminals to validate a
card without alerting the card's owner to the possibility of compromise. The crooks then have
a chance at a bigger payoff
if they hold off and place more fraudulent orders from the stolen cards they've already staged on
the e-commerce sites. Perimeter X says the bot was detected and stopped before any actual fraud
was committed. Reuters reports that unidentified threat actors tried to inveigle European Central Bank President Christine Lagarde
into giving them an authentication code for WhatsApp that would have enabled them to open an account linked to Ms. Lagarde's phone number.
The attackers claimed to be former German Chancellor Angela Merkel.
An ECB spokesperson said,
We can confirm there was an attempted cyber incident recently involving the president.
It was identified and halted quickly.
No information was compromised.
We have nothing more to say as an investigation is ongoing.
The Not Merkel said, according to AP,
that it would be easier and more secure if they could connect with Ms. Lagarde over WhatsApp.
The German edition of Business Insider reports that the attackers had Ms. Lagarde's mobile number
and were able to spoof Ms. Merkel's number in their smishing text.
Business Insider says they wanted to use the Chancellor's identity
to obtain the authentication code of Lagarde's existing or new messenger service account.
This is actually used to verify the link between the personal account and the cell phone number.
By sharing the code, the strangers could have taken over Lagarde's account.
So, even world leaders get smished and fished.
We wonder if they receive offers of extended car warranties like the rest of us.
Aware of the potential threat
of Russian cyber attacks, German authorities yesterday announced a program of increased
readiness and resilience. Deutsche Welle reports that the German interior minister explained the
motivation for the increased state of alert, saying, the sea change we are facing in view of
the Russian war of aggression against Ukraine requires a strategic repositioning and significant investment in our cybersecurity.
In addition to new secure systems for exchanging information,
the government intends to promote resilience in small and medium-sized organizations,
saying that would apply to critical infrastructure, businesses involved in transport, food, health, energy, and water supply.
CISA added an entry to its Known Exploited Vulnerabilities Catalog.
The latest addition, which the Federal Civilian Executive Agency's CISA oversees, are expected to address by August 2nd,
is CVE-2022-22047, a Microsoft Windows client server runtime subsystem privilege escalation vulnerability.
The remedy is to apply Microsoft's patch.
And speaking of applying Microsoft's patch, yesterday was July's Patch Tuesday,
and Microsoft released fixes for 84 issues, including the aforementioned bug that CISA wants U.S. federal agencies to take
care of. SAP also patched, issuing 20 new security notes as well as three updates to earlier
advisories. On Tuesday, July 12th, CISA released two industrial control system advisories.
And finally, hacktivists in sympathy with Ukraine have conducted distributed denial
of service attacks against Russian movie theaters. CyberNews says the attacks, regarded as a tit-for-tat
response to Russian DDoS attacks by Killnet and others against Ukrainian and other sympathetic
nations' networks, have affected Kinomax, Mori Cinema, Luxor, Almaz and other chains,
as well as ticket service Kinoplan. Obviously, such campaigns aren't war winners.
The record reports a consensus among Ukrainian security firms that DDoS is popular because it's
easy and that the targets selected for disruption are picked because they're disruptible,
not because they're either high value or high payoff.
Ukrainian hacktivists have been more or less assembled into a loose umbrella group.
The Ukrainian government says it doesn't direct the IT army,
and indeed their opportunistic and improvisational target selection would seem to argue that their organization is pretty thin.
The record says,
This lack of planning makes sense given that IT Army is an independent group of volunteer hackers,
not a trained cyber army unit.
Ukrainian security official Viktor Zora said,
We do not coordinate cyber volunteers in their attacks
and have no information on any such coordination centers. So, hacktivism might be regarded as a morale builder.
Yegor Ashev of Cyber Unit Technologies told the record,
The only benefit of IT Army's DDoS was that thousands of people came together and felt useful in their resistance to Russia.
and felt useful in their resistance to Russia.
It's striking to see how commodified DDoS apps have become,
freely provided and readily accessible,
complete with short how-tos that shows you how to operate them.
It's not going to drive the Russian army back to Moscow,
but at least it gives the hacktivists a sense that they're doing something. Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The team at Proofpoint recently shared their 2022 Voice of the CISO report,
highlighting some of the challenges facing security professionals.
Lucia Malika is Global Resident Chief Information Security Officer at Proofpoint.
As we've seen for the last several years,
cybercrime reach a heightened level of intensity and sophistication.
We saw greater complexity in ransomware, supply chain, and critical infrastructure attacks.
And when you add to that the digitization and consumerization that have driven so much
of the complexities in the environments that we have to protect today, as well as some of the regulatory
landscape regulations and challenges that came from those different systems, it really
highlighted the need to hone in into what are security leaders grappling with. And as we see
the ever-evolving threat landscape, what are some
of the bigger challenges that we all collectively have to wrap our hands around? Well, let's go
through some of the specific findings together. What are some of the things that caught your
attention? I will say the first one that was very interesting to me was the fact that 48% of the
surveyed CISOs feel their organization is at risk of suffering a
material cyber attack in the next 12 months. And that is down from the previous year, which was at
64%. What are some of the other things that caught your eye? There are two other things. One is the
human factor. And it's interesting to see that the perception versus reality.
But in our voice of the CISO report, we saw that 56% of global CISOs consider their employees
being their biggest cyber vulnerability.
Now, if you look at other data points, like, for example, the World Economic Forum reports
95% of cybersecurity issues are
traced to human error. The Verizon Data Breach Report, I think that 2022 had 82% of incidents
related to the human element. To me, it was an interesting gap there between is there a perception
or is it a reality gap between those different numbers?
So the last one was the board buy-in, and it's something that is very near and dear to my heart.
There's a lack of board buy-in or at least perceived lack of support from the boardroom that has increased. So in this year, in 2022, we saw that just over half, 51% of global CISOs
agree that they see eye to eye with their boards on cybersecurity matters. Now that is down from
59% last year. Also the same token, when you looked at, we started asking some additional
question around, hey, what are the top
board concerns? So we can figure out, are we focusing on the right areas of risk? It was
interesting to see that globally, significant downtime was at 37%, one of the top concerns followed by disruption to operations at 36% and impact on business valuation also at 36%.
So those are very interesting findings from my perspective.
So based on the information that you've gathered here, what are your recommendations?
There are a number of recommendations.
So for me, first and foremost, the threat landscape is continuously evolving. So
it's important to stay up to date and really understand what are some of your peers grappling
with, right? What's top of mind for everybody else? I think understanding that secure leaders
were not the only ones struggling with maybe the increase in volume of attacks or
insider threats. One of the findings that was really interesting to me as well was the fact
that insider threats, for example, has moved up to first when we asked CISOs in terms of what
were the biggest cybersecurity threat within the organization, that has shifted. And it was interesting to see that ransomware, despite really being covered extensively in
the media in the last year, ransomware came in sixth at 28%.
So really understanding what everybody else is focusing on.
And then last but not least, I think for me is closing the gap between CISOs and boards is absolutely critical.
And I think it's important to understand some of the communication challenges that a lot of security leaders are perhaps challenged with in terms of seeing eye to eye with their boards.
in terms of seeing eye to eye with their boards,
think cyber risk is business risk.
And being able to have cybersecurity oversight and have the right support at that executive level
is absolutely critical for us to succeed in doing our jobs
and adequately being able to protect organizations.
And at the same token, really understanding
and being able to focus on the business risk, the business impact that cybersecurity can have on the organization broadly.
That's Lucia Malika from Proofpoint.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
Carol Terrio recently spoke with Jen Kaltreiter from Mozilla about their Privacy Not Included initiative.
Carol Terrio files this report.
Well, listeners, do I have a treat for you today.
We have Jen Kaltreiter.
She's Mozilla's Privacy Not Included head honcho.
Thank you for taking the time to be on the show.
Because I can tell from the output on the site, Privacy Not Included,
that you guys are busy cats over there.
Yeah, yeah.
There's a lot of privacy problems in the world today.
I couldn't agree more.
So maybe we should start at the top.
So for those listeners who don't know about Mozilla's Privacy Not Included project, could you give us a quick overview?
Yeah, sure.
Could you give us a quick overview?
Yeah, sure.
So back in 2017, which seems like the land before time these days, but it was only like six or seven years ago, a lot of connected devices were starting to become more prevalent
in people's homes.
You know, people were getting smart speakers and robot vacuums and fitness trackers and
everything.
And when we looked around at Mozilla, you know, Mozilla really cares about privacy.
We're a nonprofit with a mission that focuses in part on trying to protect the privacy on the internet. And we didn't see the average consumers could find out before they bought a product, what are the privacy and security concerns of this connected device or this connected app?
almost, we kind of said, well, let's try and create a buyer's guide for people to help explain that.
You know, without a lot of resources, we kicked it off and we were just curious if people would even care. You know, there's websites that review products on features and reliability and things
like that, but nothing like privacy and security. So we gave it a shot and we found that people
liked it. You know, everybody says they want to protect their privacy, but when it comes to what they can do, it's a lot harder to know. Since 2017, we have been reviewing the privacy and security of
connected devices. We've moved into doing apps as well. We've gone from just trying to state the
facts to being a little more opinionated to help people understand, hey, what this company's doing
is really bad. And maybe you should find some other product to use if you care about privacy too. Hey, we have a best of list now, and we have a creepo meter where
people can rate how creepy they find products. And we have a privacy not included warning label that,
you know, when you land on a product, if it has that, that's us kind of saying,
hey, you know, we'd be, we'd be wary of using this product because your privacy might not be protected. It's really cool how far
and wide your project has gone because you do things for the smart home, you do toys and games,
you do entertainment, you do wearables, you do health and exercise, pets, video call apps,
dating apps. I mean, you really cross the whole gamut. This must be a massive workforce here.
I mean, you really crossed the whole gamut. This must be a massive workforce here.
If only. We're a very small team, actually. We're a team of two. There's two of us, myself and Misha Rykoff, who's my fellow researcher.
And we do all the reviews of the products and we approach our reviews of the products like consumer would. We kind of want to tell people what can consumers find out before they buy a product to know if it's private or secure, because you don't want to get home with it and then start setting it up and be like, oh yeah, once you connect this, we're going to
collect all your data. And so we approach it like that. And we look at what's available publicly.
We read privacy policies and public documentation and news articles about the company.
We email the email listed in the privacy policy for privacy related questions to see, do they get back to us?
You know, if they do, do they answer their questions?
You know, what can we can we tell if they are using strong encryption to protect your data?
Can we tell if they have a way to manage security vulnerabilities?
And so the two of us, you know, we just spend all our time kind of digging in and looking at that. We do have lawyers that come in
at the last minute and review everything to make sure we aren't going to say anything incorrect
or that might get us sued. But for the most part, it's just Misha and I with our heads down
doing research that if you were an average consumer and had eight hours a day to do this and a bit
of knowledge, that's what we do. I'm absolutely gobsmacked that there's only two of you doing
all this work. That is a testament to your skill and passion, let me tell you. Now, in your research,
do you often find a disconnect between what is being said on the website and what is said inside the
privacy agreement, for example? You mean how companies say they protect your privacy and
then what they actually do? Yep. Yeah, exactly. Indeed. I can't tell you how many privacy policies
I read that crow at the top of their privacy policy, we will never share or sell your data
without your consent. We care about your privacy. I mean, every company says that, right? And then
you keep like reading and digging into their track record and what data they collect and how they
share that data. And you're like, holy cow, like, you know, everybody says they care about privacy,
but there's a lot of like show don't tell here and a lot too many companies just collect as much personal information as they possibly
can because that's very valuable to them.
They use it for targeted advertising and personalization and sharing it with business
affiliates and selling it in some cases.
And they take the data they have on you and they go out to other third parties like social
media sites or data brokers or public sources and they collect even more data about you because the more they know about you, the more they can keep you addicted to the app or target you for to buy more products to get you to sell you more things.
And so it's really hard to trust these companies these days when it comes to privacy.
And it's sad.
I'm a little jaded.
I don't blame you one bit.
I just am super glad you do what you do.
Now, little problem.
We've almost run out of time
and we haven't touched upon your research
into mental health apps,
which I think is fascinating.
So I'm going to invite you on next time
so we can discuss this.
And in the meantime, listeners,
go check out Privacy Not Included. Go see the devices that you have in your house and see how they stack up against
others. And if your device isn't listed, you can actually fill in a request so that it gets
reviewed. Isn't that right, Jen? Yeah, we have a form there that you can submit
what requests for reviews.
We obviously can't review everything.
We wish we could.
And so we try and focus on what we know people will like.
So please let us know what you're interested in.
And because we can't review everything,
even just reading a couple of reviews of similar things
will give you some ideas of what questions to look for,
what questions to ask.
It's just, hopefully we're helping people understand a little bit more of the concerns
they should have and how they can approach it so that you can just shop a little bit smarter.
Couldn't agree more. This was Jen Kultreider. She is the lead at Privacy Not Included,
a Mozilla project. Thank you so much for coming on the show.
Oh, well, thanks for having me. And thanks to people who care. I appreciate it. Be sure to check out tomorrow's Cyber Wire
for part two of Carol Terrio's interview with Jen Kaltreiter from Mozilla.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brendan Karp, Eliana White, Puru Prakash, Justin Sabey,
Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.