CyberWire Daily - An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. And risky piracy sites.
Episode Date: September 19, 2022An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. Grayson Milbourne of OpenText Security Solutions on the arms race ...for vulnerabilities. Rick Howard continues his exploration of cyber risk. And risky piracy sites–that’s on the Internet, kids, not the high seas. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/180 Selected reading. Developments in the case of the Uber breach. (CyberWire) Preliminary lessons from the Uber breach. (CyberWire) Uber says “no evidence” user accounts were compromised in hack (The Verge) Uber Claims No Sensitive Data Exposed in Latest Breach… But There's More to This (The Hacker News) Uber apparently hacked by teen, employees thought it was a joke (The Verge) Uber hacker claims to have full control of company's cloud-based servers (9to5Mac) The Uber Hack’s Devastation Is Just Starting to Reveal Itself (WIRED) Uber was breached to its core, purportedly by an 18-year-old. Here’s what’s known (Ars Technica) Uber hacked by teen who annoyed employee into logging them in - report (Jerusalem Post) 18-year-old allegedly hacks Uber and sends employees messages on Slack (Interesting Engineering) Uber Investigating Massive Security Breach by Alleged Teen Hacker (Gizmodo) Uber cyber attack: protecting against social engineering (Information Age) Threat actor breaches many of Uber’s critical systems (Cybersecurity Dive) Uber hacker claims to have full control of company's cloud-based servers (9to5Mac) Uber confirms hack in the the latest access and identity nightmare for corporate America (SC Media) Uber hacked, attacker tears through the company's systems (Help Net Security) Uber confirms it is investigating cybersecurity incident (The Record by Recorded Future) UBER HAS BEEN HACKED, boasts hacker – how to stop it happening to you (Naked Security) Emotet and other malware delivery systems. (CyberWire) Emotet botnet now pushes Quantum and BlackCat ransomware (BleepingComputer) AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 (AdvIntel) August’s Top Malware: Emotet Knocked off Top Spot by FormBook while GuLoader and Joker Disrupt the Index (Check Point Software) How Belarusian hacktivists are using digital tools to fight back (The Record by Recorded Future) Malvertising on piracy sites. (CyberWire) Unholy Triangle (Digital Citizens' Alliance) Piracy Advertising Researchers Fall Victim to Ransomware Attacks (TorrentFreak) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update on the Uber breach,
Emotet and other malware delivery systems,
Belarusian cyberpartisans work against the regime in Minsk,
Grayson Milbourne of Webroot on the arms race for vulnerabilities,
Rick Howard continues his exploration of cyber risk,
and speaking of risk, risky piracy sites.
That's on the internet, friends, not the high seas.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 19th, 2022. Persistent social engineering, pestering really, that softened up employees for a bogus call from
IT, appears to have gained a hacker deep access to Uber's systems. Uber's initial
disclosure of the breach on September 15th was terse, saying, We are currently responding to
a cybersecurity incident. We are in touch with law enforcement and will post additional updates
here as they become available. On the 16th, it offered the following amplification. While our investigation and response efforts are ongoing, here is a further update on yesterday's incident.
We have no evidence that the incident involved access to sensitive user data like trip history.
All of our services, including Uber, Uber Eats, Uber Freight, and Uber Driver, are operational.
As we shared yesterday, we have notified law enforcement.
Internal software tools that we took down as a precaution yesterday
are coming back online this morning.
Someone claiming to be the threat actor responsible for the intrusion
bragged in the company's Slack channels,
Hi, here, the hacker posted.
I announce I am a hacker and Uber has suffered a data breach.
Slack has been stolen.
Confidential data with Confluence, Stash, and two monorepos from Fabricator
have also been stolen, along with secrets from Sneakers.
Employees who saw the post thought it was a goof, The Verge reports,
and many cheerfully played along until it became clear
that in fact the breach was real and potentially serious.
Ars Technica thinks that the story the hacker tells is plausible
and that while it's still not clear what the hacker gained access to,
potentially, at least, it's quite a bit.
Wired reports that screenshots provided by the hacker
suggest deep access,
including access to one login accounts. Uber has said there's no evidence that customer data was
compromised, but as the Hacker News suggests, this may be a case in which the absence of evidence
is an evidence of absence. As Uber itself has said, the investigation is ongoing. Apparently, the
self-identified 18-year-old who compromised Uber just kept at it, made themselves such a pest that
people eventually caved in and forwarded MFA push prompts in the hope that it would get them off
their back. It's like a hacker's inversion of the parable of the persistent widow and the unjust
judge. Only in this case, the pest is unjustable of the persistent widow and the unjust judge.
Only in this case, the pest is unjust and the pestered are the righteous ones.
The Jerusalem Post describes the pestering, stating,
the hacker reportedly claimed that he had spammed an Uber employee with push notification login requests
for over an hour before contacting him on WhatsApp while claiming to be from Uber IT
and telling him that he would need to accept the request if he wants them to stop.
The employee then accepted the request, allowing the hacker to log in to the employee's account
and access the company's internal servers.
Researchers at Adve Intel have observed more than 1.2 million Emotet infections since the beginning of 2022.
Most of the infections, around 35%, are located in the United States.
The researchers also warn that the Quantum and Black Cat ransomware groups are now using the malware distribution Botnet following the breakup of Conti in June 2022.
the malware distribution botnet following the breakup of Conti in June 2022.
The researchers state,
The observed botnet taxonomy attacker flow for Emotet is Emotet to Cobalt Strike to ransomware operation.
What this means is that currently, the way that threat actors primarily utilize Emotet
is as a dropper or downloader for a cobalt strike beacon, which deploys a payload, allowing threat actors to take over networks and execute ransomware operations.
Leaping Computer adds that significant spikes in Emotet activity were observed by both Adve Intel and ESET in 2022.
According to Checkpoint's visibility, however, the Formbook InfoStealer replaced Emotet as the most prevalent malware strain in August 2022, followed by the agent Tesla Trojan, the XM-Rig CryptoMiner, and the GooLoader Downloader.
Meanwhile, AlienBot, Anubis, and Joker were the most common mobile malware strains. The cyber-partisans continue to operate as domestic opposition
to the government of Belarusian President Lukashenko.
Their activities, as described in an overview by the record,
have principally involved embarrassing the regime through doxing,
with amplification of discreditable information through internet memes
and rough animation that's reminiscent of South Park's visual style.
From the records reporting,
although made up mostly of young tech specialists and activists,
the cyberpartisans resemble an amateur intelligence service.
They have a political agenda, clear goals,
and put a lot of effort into collecting and analyzing sensitive data.
A Bloomberg report earlier this
summer described the cyberpartisans as having taken hacktivism to the next level. The record
puts the cyberpartisans' number at about 60 and describes them as, for the most part, self-taught.
Their approach suggests the lines along which hacktivism might successfully be conducted.
The goal is embarrassment.
The means are doxing and ridicule,
not demonization,
supplemented by
selected attacks
against the regime's
infrastructure.
Ridicule is probably
more productive
against an authoritarian
regime that depends
upon fear
and the projection
of strength
as its surrogate
for legitimacy.
And on target selection,
the cyberpartisans are notable for their ability to pick both high-value targets
and to attack them in a discriminating fashion.
They look for targets whose disruption interferes with crucial operations of the regime,
and they see their cyberattack against Belarusian rail traffic as a good example of this.
It interfered with the movement of Russian material through Belarusian rail traffic as a good example of this. It interfered with the movement of Russian
material through Belarusian networks to invasion forces in Ukraine. Today, of course, is international
talk like a pirate day. Métis. Have you fed the parrot and finished your holiday shopping? We have,
except we don't actually have a parrot. And talk, if you will, like a pirate, but stay off the piracy sites.
The Digital Citizens Alliance, in partnership with White Bullet and Unit 221B,
released a report detailing piracy sites and advertising.
Malware has also been found on piracy sites and advertisements targeting users.
Researchers found that those who visited piracy sites, and advertisements targeting users. Researchers found that those who visited piracy sites
were exposed to an estimated 321 million malicious ads
in the span of one month.
That's a lot of booty, me hearties.
Or shouldn't that be you hearties?
It must have been tough to communicate
on the Spanish main in the High Barbary.
Arr!
Coming up after the break,
Grayson Milbourne of WebRoot on the arms race for vulnerabilities.
Rick Howard continues his exploration
of cyber risk.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more And it's always my pleasure to welcome back to the show the CyberWire's own Rick Howard.
He is our Chief Security Officer and also our Chief Analyst.
Hello, Rick.
Hey, Dave.
So, in the CyberWire's Slack channel this week, you were crowing that you finally figured something out.
Now, that in itself
is worth noting. Yeah, first time this year. Well, if I recall, several eurekas in quotes
were involved. So, fill us in here, Rick. What's going on? Well, guilty as charged, and I really
do think I am on to something here, okay? You know that one of my main cybersecurity first principles
that I talk about a lot is forecasting cyber risk. And you and I have talked about it many times,
right, Dave? And I can see your eyes rolling already. That's the way my wife looks at me
when I talk about this stuff. And I think the one thing that we can all agree on is that this is
really hard to do. I mean, the Cybersecurity Canon Project is full of Hall of Fame and candidate books that talk about it,
like How to Measure Anything in Cybersecurity Risk by Hubbard and Syerson
and Measuring and Managing Information Risk by Freund and Jones.
And there are many more, and they're all great primers for learning how to think about cyber risk.
But my main complaint over the years
about all of those books was that they didn't have that last chapter that explained how to do it from
top to bottom. That was always left as an exercise for the reader. So for the past decade, I've been
trying to figure it out, and I think I got it. I think I've finally figured it out. So for this
week's CSO Perspectives Pro episode,
I walk everybody through two examples
about how to calculate cyber risk.
And the good news here is that the math
isn't that complicated.
You know, some basic math,
some basic addition and subtraction,
and a little division.
And then once you know what the probability
of material impact is for those organizations,
we talk about what you do with that information.
How do you convey it to the board and assess the leadership team's risk tolerance and set a course
to decrease that risk if necessary? All right, interesting. Well, that is on the pro side.
What are we talking about on the CSO Perspectives public side this week? Yeah, that's one of my
favorite topics. I do a deep dive on the MITRE ATT&CK framework through
the lens, though, of senior cybersecurity executives. So most analysts know what the MITRE
ATT&CK is. This show explains to the executive why it's important, why they should know about it,
and what they should be asking their InfoSec teams so that they can be good at it. Well, last but
certainly not least, what is the phrase of the week on your
WordNotes podcast? This week's phrase is MFA prompt bombing, and try to say that three times
real fast, okay? That'll be a disaster. This is a relatively new hacker technique that is able to
skirt multi-factor authentication systems and has been seen in the wild used by cyber crime groups like Lapsus
and cyber espionage groups like APT29 or CozyBear. All right. Well, lots to listen to this week.
Rick Howard, always a pleasure speaking to you. You can find out more about CyberWire Pro over
on our website, thecyberwire.com. Rick, thanks for joining us. Thank you, sir.
And I am pleased to welcome to the show Grayson Milbourne. He is Security Intelligence Director at OpenText Security Solutions.
Grayson, it's always great to welcome you back to the show.
Yeah, thanks, David.
I'm really happy to be here.
So I want to talk today about vulnerabilities and particularly this sort of complex ecosystem
that exists in terms of, you know, folks tracking down vulnerabilities, bug bounties, all that
kind of stuff.
I'm really looking forward to hearing your insights on this.
Yeah.
Well, I mean, I think vulnerabilities over the past 10 years have been discovered sort
of on a parabolic curve in that each year we're finding many more than double the amount
of vulnerabilities discovered in the previous year.
And I think this makes sense in a lot of ways in that we have a world that is really defined
by software and software is part of everybody's everyday life and interaction.
And more and more software is being developed, right?
And so we have the future of IoT and convenience devices and medical IoT.
And so I think there's just, you know, there's an enormous pipe of new software being developed,
which again creates a lot of opportunities for mistakes.
And as a developer myself,
I can tell you that it's almost impossible
to write bug-proof code on your first pass through.
That's even working within a security mindset.
And so I think what we see is that
it's not malicious actions by developers
trying to
create buggy code. It's just that coding can be quite complex. And if you don't take into account
the thoughts of a hacker, you might make a mistake in your development process or how you
architect things that can make you vulnerable. And in fact, this is exactly what happens because
we're discovering more and more than ever before.
And some of these are really, really wide impacting. And so I think you probably remember
from January this year when we had the log4j vulnerability disclosed and just how many things
were impacted by that. And so I look at that as one of the examples of when a vulnerability can
go very wrong. The reality is almost all software can be vulnerable.
And if somebody picks it apart long enough, they might very well find a flaw.
And so that process continuously goes on.
Where does that leave us in terms of incentives?
Because we have, obviously, the developers who are trying to make their software as secure
and bug-free as possible.
But now we have a whole other group of people who are trying to hunt these things down,
some of them for bug bounties, some of them who are up to no good.
Yeah, and I think, you know, this is sort of where we've watched a unfortunate transition
over the past day.
I would say when bug bounty programs first were introduced, you know, several years ago,
maybe seven or eight years ago,
I think they were a really great initial idea to try to get some of the larger companies like Google. Google wants you to turn over that remote code execution Chrome zero day that you've
discovered, and they'll willingly pay you $100,000. And that might sound like a really good deal, but
as a researcher, if I spend 100 hours doing that, okay, maybe that's
like $1,000 an hour. That's not a bad payday. But the value of this, you know, isn't maybe
accurately reflected when Black Hat Organization might pay me half a million dollars or a government,
you know, the government might pay me even more. And it depends. I can't say like, you know,
the United States government is different from every other government. And we see different interactions with government and their population with respect to how disclosing vulnerabilities occurs.
You know, we can look at China, for example, and China has a law that says if you discover a vulnerability within your software and it's disclosed to you, you have to disclose it to us as well.
And, you know, then what happens from there?
to disclose it to us as well. And, you know, then what happens from there? And, you know,
if you look back at Log4J, Log4J was actually a Chinese company that discovered it, but they disclosed it to Apache. And there's some fuzziness around this, but, you know, it seems like they
may have been sanctioned by the Chinese government for disclosing what, you know, has been the
largest vulnerability, you know, disclosed in, you know, at least a couple of years. So, you know. And so this is this conflict of interest, right?
The internet is safest when mistakes are disclosed and fixed.
And it undermines security for everybody when you have a bidding war between black hats
and governments.
I think the bidding war is fine on the side of the software developer, the person who
owns the software that has the vulnerability.
The thing is, their pockets just aren't often very deep comparatively.
So if you're a researcher
and profiting from your time and investment
into discovering these things is most important to you,
the offending software vendors
is not always at the top of your list.
Where do you suppose we're headed here? I mean, are we seeing advances in software,
advances in hardware, or is there automation that's helping us along the way here?
Yeah, so you actually touched on some really great points there. Hardware is one of the ways that
we can get around some of these vulnerabilities just because a lot of times it's a logical
around some of these vulnerabilities just because a lot of times it's a logical misstep. And so one good example of this is Intel's 11th gen processor comes with a variety of additional
security enhancements. But the one that really piqued my eyes is their total memory encryption
technology. And this tackles memory corruption or memory access vulnerabilities, which are often
some of the most dangerous ones. These are vulnerabilities that can allow me to, for example, capture your cryptography key
and steal that out of memory space that it should be protected in, you know, allowing me to decrypt
communications. So, you know, they tackled this from a hardware perspective, not a software
perspective. So, you know, by just this one change, more than 50% of last year's disclosed vulnerabilities were in this category.
Now, that's great, but when is everybody getting the free update?
Microsoft sees the problem and they're like, hey, Windows 7 has problems.
We don't want to invest any more there.
We're giving away the upgrade to 10 for free.
Unfortunately, with hardware, hardware doesn't work in the same fashion. So this you know, this is a really great thing. And I'm excited for what this
means 10 years from now. But in between now and then, we have to look towards technology. And I
think this is an emerging area of technology, which is just a little security by design. But
that's hard to push into non-security environments. And so kind of if I go back to my IoT example,
and I've just made, I don't know, the next smart gadget,
how much am I really dedicating in my development lifecycle
to the security hardening of my application and my device?
That might be a cost that if I realize it,
I don't achieve success.
And so you often see, again, there's this conflict of, well, I know there is probably a better way to do it, but what time and resources
do I have to achieve that? Right, right. All right. Well, it's interesting stuff for sure.
Grayson Milbourne, thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Trey Hester, Brandon
Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel
Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening.
We'll see you back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.