CyberWire Daily - Albania attributes major cyberattack to Iran. TikTok denies breach. New Linux malware.
Episode Date: September 7, 2022The Albanian government attributes a disruptive cyber attack to Iran. TikTok says it’s found no evidence of a data breach. Researchers have discovered a new strain of Linux malware. US agencies warn... of ransomware targeting the education sector. Finland prepares to increase its cybersecurity capacity. Deepen Desai from Zscaler on the latest updates to Raccoon Stealer. Our guest is Lance Spitzner from the SANS Institute with results of their recent Security Awareness Report. And a fond farewell to the father of Let’s Encrypt. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/172 Selected reading. Albania cuts Iran ties over cyberattack, U.S. vows further action (Reuters) Statement by NSC Spokesperson Adrienne Watson on Iran’s Cyberattack against Albania (The White House) TikTok Data Breach Exposing 2B Records And Source Code May Not Have Happened After All (Hot Hardware) TikTok Denies Data Breach Reportedly Exposing Over 2 Billion Users' Information (The Hacker News) Shikitega - New stealthy malware targeting Linux (AT&T Alien Labs) #StopRansomware: Vice Society (CISA) Peter Eckersley, tech activist and founder of Let's Encrypt, dies at 43 (Techspot) Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone (Electronic Frontier Foundation) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Albanian government attributes a disruptive cyber attack to Iran.
TikTok says it's found no evidence of a data breach.
Researchers have discovered a new strain of Linux malware.
U.S. agencies warn of ransomware targeting the education sector.
Finland prepares to increase its cybersecurity capacity.
Deepen Desai from Zscaler on the latest updates to Raccoon Stealer.
Our guest is Lance Spitzner from the SANS Institute with results of their recent security awareness report.
And a fond farewell to the father of Let's Encrypt.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 7th, 2022. Reuters reports that Albania has attributed the extensive disruptive cyber attack it sustained on July 15th to Iran,
saying, orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression.
That's according to Prime Minister Edi Rama.
Albania has severed diplomatic relations with Iran and ordered Iran's diplomats to leave the country.
Prime Minister Rama acknowledged the stringency of the response, but said it was fully justified, stating, This extreme response is fully proportionate to the gravity and risk of the cyber attack
that threaten to paralyze public services, erase digital systems and hack into state records,
steal government intranet electronic communication, and stir chaos and insecurity in the country.
Albania's foreign minister announced Tirana's response to Tehran in a tweet this morning.
As of today, by a decision of the Albanian COM has severed all diplomatic relations with
the Islamic Republic of Iran.
All diplomatic and other personnel of Iran's embassy are to leave the territory of the
Republic of Albania within 24 hours.
It is a decision imposed on Albania by the
actions of Iran, which our investigation has shown was behind the massive and unprovoked July 15
cyber attack against Albania's infrastructure and government services. We are confident that our
allies and partners will stand shoulder to shoulder with us facing the present and possible future
challenges. Albania is a NATO member, and its action received support from other members of the Atlantic
Alliance. The U.S. condemned the Iranian cyber attack and expressed solidarity with Albania.
The White House statement issued by the National Security Council is brief enough to be worth
quoting in full. The United States strongly condemns Iran's cyber attack against our NATO ally, Albania.
We join in Prime Minister Rama's call for Iran to be held accountable for this unprecedented
cyber incident.
The United States will take further action to hold Iran accountable for actions that
threaten the security of a U.S. ally and set a troubling precedent for cyberspace.
For weeks, the U.S. government has been on the ground working alongside private sector partners
to support Albania's efforts to mitigate, recover from, and investigate the July 15 cyber attack
that destroyed government data and disrupted government services to the public.
We have concluded that the government of Iran conducted this reckless and irresponsible
cyber attack and that it is responsible for subsequent hack and leak operations.
Iran's conduct disregards norms of responsible peacetime state behavior in cyberspace,
which includes a norm on refraining from damaging critical infrastructure that provides services to
the public. Albania views impacted government networks
as critical infrastructure. Malicious cyber activity by a state that intentionally damages
critical infrastructure or otherwise impairs its use and operation to provide services to the
public can have cascading domestic, regional, and global effects, pose an elevated risk of
harm to the population, and may lead to escalation and
conflict. We will continue to support Albania's remediation efforts over the longer term,
and we invite partners and allies to join us in holding malicious cyber actors accountable
and building a secure and resilient digital future.
Social media giant TikTok says that a reported data breach on the platform may never have actually happened, Hot Hardware reports.
Last week, a vulnerability in the TikTok app on Android was revealed by Microsoft that would have allowed threat actors to hijack accounts.
was patched before its disclosure, but a breach forums user with the name Against the West reported shortly after Microsoft's disclosure that they had access to a server containing
6.7 terabytes of stolen data from TikTok and WeChat. TikTok denies the breach, saying in a
statement to Forbes that, our security team has found no evidence of a security breach.
We have confirmed that the data samples in question are all publicly accessible
and are not due to any compromise of TikTok systems, networks, or databases.
The samples also appear to contain data from one or more third-party sources not affiliated with TikTok.
The Hacker News reports that Bob Dychenko, a threat intelligence researcher at Security
Discovery, called the breach real but said that it originated from Hangzhou Zhulan network technology
rather than TikTok. Researchers at AT&T Alien Labs describe Shikitega, a stealthy strain of malware
targeting endpoints and IoT devices
that are running Linux operating systems.
The researchers state, Shiketega is delivered in a multi-stage infection chain
where each module responds to a part of the payload and downloads and executes the next one.
An attacker can gain full control of the system,
in addition to the cryptocurrency miner that will be executed and set to persist.
Yesterday, the FBI, CISA, and the MS-ISAC issued a joint advisory warning that the Vice Society threat actor has recently been disproportionately targeting the education sector with ransomware attacks.
disproportionately targeting the education sector with ransomware attacks. The advisory states,
the FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022-2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks.
School districts with limited cybersecurity capacities and constrained resources
are often the most vulnerable.
However, the opportunistic targeting often seen with cybercriminals
can still put school districts with robust cybersecurity programs at risk.
K-12 institutions may be seen as particularly lucrative targets
due to the amount of sensitive student data accessible through school systems
or their managed service providers.
While the cyber phases of Russia's hybrid war have been relatively quiet as the week opened,
and largely eclipsed by the risk of a major nuclear accident in the opening days of Ukraine's general counteroffensive,
governments geographically close to Russia have continued to take measures to improve their cybersecurity posture.
Finland, in the wake of attacks aimed at disrupting its parliament,
is moving to offer grants to organizations deemed capable of hardening the country's attack surface.
And we close with some sad news.
Cybersecurity lost an important contributor on Friday when Peter Eckersley
passed away from cancer
far too young at the age of 43.
He'll be remembered
for his contributions to encryption
as the father of Let's Encrypt,
for his service at the Electronic
Frontier Foundation, and
for his more recent work on the ethical
issues surrounding privacy
and artificial intelligence.
He'll be missed, and we wish his family, friends, and colleagues
all comfort and consolation. To be continued... Nick Diependesai from Zscaler has the latest updates to Raccoon Stealer. Our guest is Lance Spitzner from the SANS Institute with results of their most recent security awareness report.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Lance Spitzner is Director of Security Awareness
at the SANS Technology Institute.
I checked in with him for insights
on the recently released 2022
SANS Security Awareness Report. Probably one of the first things that really stood out this year
is the need to shift this concept of security awareness to managing human risk. So for example, in the report, one of the most surprising data points is if you're
dedicated full-time to security awareness, you're most likely to be paid far less than somebody
dedicated part-time to security awareness. So the average pay of somebody in security awareness,
the overall is about $110,000. So we're asking people, hey,
what's your salary? And this is at a global scale. But what we found is if you're part-time,
it's much more. And if you're full-time, it's much less. And the reasons we believe that to
be the case is if you're part-time, your compensation is based on your other security roles,
most likely on the technical side. If you're full-time, you're getting compensated just on
your security awareness role, which leads us to believe that leaders aren't truly valuing what
security awareness officers do because we in the security awareness
field have actually done a really poor job at communicating what we do and why.
Wow, that's really interesting. I mean, how do you suppose folks go about closing that gap?
And that's probably the key takeaway of the report. That's a really good question. So if
you look at the report, you'll notice the words managing human risk on the report. Traditionally, security awareness has been perceived as just this
once a year training effort, mainly for compliance. But the field is really going
through a fundamental shift where we're now realizing, hey, human risk is a huge part of drivers for breaches today. And once again,
go back to the Verizon DVIR. For the past three years, the report has identified people are
involved in over 80% of breaches. So if cyber represents one of the greatest risks to organizations
today, people are one of the greatest risks in cyber when they start
working with technology. We're moving this concept from security awareness, where leaders have this
perception you're in the entertainment business. We're trying to migrate to actually know we're in
the managing human risk business. This means we're working with the cyber threat intelligence teams.
This means we're applying behavioral science. This means we're using with the cyber threat intelligence teams. This means we're applying behavioral
science. This means we're using organizational change models to really change and secure
people's behaviors because that's where I and the report feels organizations can now in today's
world have the biggest impact. So Lance, you know, I think we're all familiar with security
awareness training and I think a lot of companies also engage with things like phishing simulations, that sort of thing.
I mean, based on the information you all have gathered here, what part do those sorts of things have to play in an organization's defenses these days?
That's a great question, and it comes back to what we were talking about earlier, managing human risk.
Security awareness is what we do.
Managing human risk is why we do it.
So five years ago, traditionally,
security awareness was all about reaching out
to training people, computer-based training,
phishing simulations.
But now we're taking it to the next level,
and it's really about managing human risk.
So the first step is actually security awareness teams working with their security teams, the Security Operations Center, Cyber Threat Intelligence, the Incident Response Team, to really identify what their top human risks are.
Things like phishing and passwords.
Then they roll out the training to change those
behaviors. We're no longer trying to just make people aware. We want to change their behavior
so they can easily identify phishing attacks. So they start using credentials in a safe and
secure manner, sharing or using data in a secure way. So the first step is identifying those top human
risks. Then all that training is about changing behaviors to manage those risks. So that's why
we see things like phishing simulations so popular because that's training addressing a top human
risk. That's Lance Spitzner from the SANS Technology Institute.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Deepan Desai.
He is the Chief Information Security Officer and VP of Security Research and Operations at Zscaler.
Deepan, it's always great to have you back to the show.
I want to touch base today with something you and your colleagues recently posted about.
This is, you're tracking an updated version of Raccoon Stealer. What's going on here?
Yeah, so Raccoon Stealer, for those of you that don't know, is a malware family that has been
sold as malware as a service model on the underground forum since early 2019. And as part of our tracking activity in early July,
the team came across a variant of this malware. And there were a few new things that the team
observed, which prompted us analyzing and posting this article. What are some of the details here,
some of the things that they updated? They're leveraging dynamic loading of WinAPI functions.
These two things that I mentioned are more geared towards evading detection, increasing the shelf life of the payloads that are being pushed out. The previous versions of Raccoon Stealer, they were heavily dependent on leveraging Telegram APIs to fetch the list of command and control servers.
So these are destinations that the malware will communicate with after they have successfully
established infection on the endpoint.
In this newer variant, what we saw is a list of hard-coded IP addresses.
This newer variant, what we saw is a list of hard-coded IP addresses.
These are mostly threat actor-controlled servers,
which are then leveraged to fetch the list of command and control servers from where the next stage payloads will be delivered,
as well as the CNC commands will be delivered.
What sort of things does Raccoon Malware seem to be after?
What is it out to steal?
Raccoon Stealer will be responsible for stealing data such as passwords, cookies, your autofield data from web browsers.
We have also seen code that indicates that there's support to steal cryptocurrency wallets from the endpoints that they're able to compromise.
And so in your estimation, how sophisticated a threat group are we talking about here?
In terms of sophistication, I mean, I would still think of this as something that is in development and in progress.
As I mentioned, some of the anti-analysis, anti-detection tricks that we observed in this version 2
there are many other families out there
that have been using this for a long time
and what are your recommendations for folks to best protect themselves?
Recommendation, always make sure
these dealers can arrive
packaged with some of those cracked softwares,
pirated stuff.
So stay away from those.
Always rely on legitimate sources when you're downloading your softwares.
And then if you notice something spiking CPU activity,
any kind of slowness on the system,
because this payload was known to do that
when we were analyzing it,
you should report it to your security team.
So that's from the end user perspective.
From the security admin perspective,
payloads such as this, which are newly packaged,
that is continuously going through newer development,
you need an inline sandboxing solution
to honestly observe the behavior
and flag it and lock it
for your users.
All right.
Well, Deepan Desai,
thanks for joining us.
Thank you.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com. The Cyber Wire podcast is proudly produced all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash,
Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening.
We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.