CyberWire Daily - An update on three threat actors: Fangxiao, Killnet, and Billbug, one of them in it for money, another for the glory, and a third for the intell. Twitter and SMS 2FA. Zendesk patches. CISA adds a KEV.
Episode Date: November 15, 2022Fangxiao works ad scams enroute to other compromises. Killnet claims to have defaced a US FBI site. CISA registers another Known Exploited Vulnerability. Difficulties with Twitter's SMS 2FA system. Ze...ndesk vulnerability discovered. Joe Carrigan explains registration bombing for email addresses. Our guest is Miles Hutchinson from Jumio with insights on defense against sophisticated ransomware attackers. And Billbug romps through Asian government agencies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/219 Selected reading. Fangxiao: a Chinese threat actor (Cyjax) Fangxiao: A Phishing Threat Actor (Tripwire) Russian hackers claim cyber attack on FBI website (Newsweek) CISA Has Added One Known Exploited Vulnerability to Catalog (CISA) Twitter’s SMS Two-Factor Authentication Is Melting Down (WIRED) Varonis Threat Labs Discovers SQLi and Access Flaws in Zendesk (Varonis) Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries (Symantec) Chinese hackers target government agencies and defense orgs (BleepingComputer) Researchers Say China State-backed Hackers Breached a Digital Certificate Authority (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bong Zhao works ad scams en route to other compromises.
Killnet claims to have defaced a U.S. FBI site.
CISA registers another known exploited vulnerability.
Difficulties with Twitter's SMS2FA.
Zendesk vulnerabilities have been discovered.
Joe Kerrigan explains registration bombing for email addresses.
Our guest is Miles Hutchinson from Jumio with
insights on defense against sophisticated ransomware attacks. And Bill Bug romps through
Asian government agencies. From the Cyber Wire studios atribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 15th, 2022. Cyjax has published a report on Fang Zhao,
a Chinese threat actor apparently motivated by financial gain as opposed to espionage.
It relies on phishing baited with spoof domains of legitimate companies to spread adware.
It also appears to be implicated in mobile malware distribution.
Cyjax writes,
We assess that Fang Zhao is a Chinese-based threat actor likely motivated by profit.
The operators are experienced in running these kinds of imposter campaigns,
willing to be dynamic to achieve their objectives,
and technically and logistically capable of scaling to expand their business.
So, Fang Zhao makes money en route to whatever it gets, and logistically capable of scaling to expand their business.
So, Fang Zhao makes money en route to whatever it gets,
ultimately from compromised systems, by fees for referrals.
Tripwire, which has also looked at the scam, explains how it works.
They say,
With a UK IP address and Android user agent,
the researchers were led to multiple domains before receiving a malicious APK. This file is identified by VirusTotal as Triada, an Android malware.
And then comes a connection to an Amazon affiliate. With an IP address from the United
Kingdom and an iOS user agent, the site went to an Amazon affiliate link. This permits
whoever handled the final reroute to receive a commission on every Amazon purchase made using
the same device for the next 24 hours, which may represent a substantial source of income.
Newsweek reports that Killnet, the hacktivist group serving as a Russian auxiliary,
Newsweek reports that Killnet, the hacktivist group serving as a Russian auxiliary,
claimed to have defaced a website belonging to the U.S. FBI.
If it happened at all, it was a very brief episode with no credible observers saying they'd seen it. The claim, however, itself represents a small nuisance in the information operations
Killnet and other Russian organizations have fitfully waged
against Ukraine and countries
sympathetic to Ukraine's cause.
KILNET and other
Russian auxiliaries have, over the past
month, proven relatively
indifferent to whether or not they've actually
achieved the kind of access or disruption
they've claimed. It's the
claim, the friction induced in the
opposition, not the reality
of the attack that matters. CISA has added a new item to its known exploited vulnerabilities
catalog. Federal executive civilian agencies have until December 5th to look for, fix, and report
action on CVE-2022-41049, a Microsoft Windows Mark of the Web security feature bypass vulnerability.
The remediation is, as usual, to apply updates per vendor instructions.
Numerous Twitter users are reporting problems with the platform's two-factor authentication
system. Wired has a summary of what's been going on, stating,
some users are reporting problems when they attempt to generate two-factor authentication
codes over SMS. Either the texts don't come or they're delayed by hours. That functionality
may be among the bloatware Twitter's new owners say they're interested in purging from their
service. Twitter's Help Center still
indicates this morning that two-factor authentication remains available, and Wired
and others note that SMS is not the best form of multi-factor authentication available.
Researchers at Varonis have discovered a vulnerability in the customer support product
Zendesk that could have allowed attackers to access customer accounts.
The researchers found a SQL injection vulnerability and a logical access flaw
that affected the product's reporting and analytics tool Zendesk Explore,
which is disabled by default. The researchers state that the flaw would have allowed threat
actors to access conversations, email addresses, tickets, comments, and other information
from Zendesk accounts with Explore enabled.
Varonis explains,
To exploit the vulnerability, an attacker would first register
for the ticketing service of its victim's Zendesk account
as a new external user.
Registration is enabled by default because many Zendesk customers
rely on end users submitting support tickets
directly via the web.
Zendesk Explore is not enabled by default
but is heavily advertised as a requirement
for the analytic insights page.
Zendesk promptly developed a patch for the flaw
after Varonis notified them of the problem.
Varonis says the vendor began working on a fix the same day they were notified.
Zendesk fixed multiple bugs in less than one workweek with, it says, no customer action required.
And finally, Symantec has found that a Chinese state-sponsored threat actor
compromised a digital certificate authority in an
unnamed Asian country. The threat actor also compromised government and defense agencies in
several Asian countries. The threat actor, which Symantec tracks as Billbug and is also known as
Lotus Blossom or Thrip, likely targeted the certificate authority in order to sign its
malware files,
although it's not clear if Billbug was able to steal any certificates.
The researchers say the targeting of a certificate authority is notable as if the attackers were able to successfully compromise it
to access certificates they could potentially use then to sign malware
with a valid certificate and help it avoid detection on victim machines.
It could also potentially use compromised certificates to intercept HTTPS traffic.
However, although this is a possible motivation for targeting a certificate authority, Symantec
has seen no evidence to suggest they were successful in compromising digital certificates.
Symantec has notified the cert authority in question to inform them of this activity.
Symantec noted back in 2019 that Billbug is based in China
and its primary goal appears to be espionage.
Coming up after the break, Joe Kerrigan explains registration bombing for email addresses.
Our guest is Miles Hutchinson from Jumio with insights on defense against sophisticated ransomware attackers.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The ongoing threat of targeted ransomware has left a lot of companies, particularly small and medium-sized businesses, struggling to keep up with what is frequently described as a nation-state level of attack sophistication.
Miles Hutchinson is Chief Information Security Officer at identity verification and online mobile payments company Jumio,
where he and his colleagues are on the front lines of this fight.
More and more and more, we're seeing the tactics used by nation state or state sponsored attackers
and the tactics used by organized crime groups that traditionally those two worlds were kind of
apart. And more and more over the years we've seen those
worlds converge so we're seeing the tactics used by both sides being very similar and then where
are we at today everybody's ecosystem is technical ecosystem is such that we're also reliant on so
much technology and so many you think of the variety of vendors that we have all got within our businesses.
Everybody is susceptible to this in one way, shape, or form.
We're all either going to be directly targeted or indirectly targeted because we end up accidentally in the blast radius of somebody else's attack that's being directed their way. So yeah, you can end up, unfortunately,
being indirectly impacted by this just by association with a vendor that's on a hit list
of a nation state attacker. And how do you define a nation state attacker? I mean, or I guess more
specifically the types of attacks that they generally use.
Is it clear or is there some fuzziness there?
I think there's definitely some, as I said kind of before,
I think historically that used to be quite clear cut.
And the approach was a bit more obvious that if you saw that type of approach,
it was definitely that this is coming from the nation state.
Whereas these days, you're seeing nation state attackers and crime groups that they sponsor sharing tactics or using similar tactics
we're seeing we saw you know many many years ago we saw that certain certain attack patterns that
were coming out of the u.s that were were leaked but then picked up and then made it out into the public domain,
and then also made it into attack packages that are used by other nations back on themselves,
back on other nations as well. So I think the lines are blurred, for sure. I think the lines are definitely blurred. And then that definition of, well, how do you know it? How do you attribute who it's come from?
We are seeing that certain attacks coming from organized groups
that are, when you lift the lid on it,
all evidence kind of points towards this is a state-sponsored attack.
It's extremely difficult to prove it, but the evidence,
the weight of evidence suggests that a lot of these attacks are coming from groups that are being backed by nation states.
And so where does that put your average organization then in terms of prioritizing their defenses?
Yeah, well, I think the good news on this is from a priority point of view.
news on this the good news on this is from a priority point of view the good news is if you're doing the basics then i wouldn't say you've got nothing to worry about right and
equally i wouldn't want to say you've got something to worry about but if you're doing
the right things at the right time in the right part of your business then come the day that the
worst happens you're prepared and and i think irrespective of who that comes from being that
does that come from a nation state does that come from organized crime group or equally
equally dave the other thing does that come from yourselves because you've had an accident you know
a cyber accident yourselves the key point is if you've got the foundation cover the foundations
cover the get the foundations right make sure you understand what your business is make sure
you understand where your most important data is make sure you understand where your most you know where all
of your exposures are and make sure most of all that you know what you're going to do come the
day that something happens so you're ready so i'm not sure that unless you're in the business of
attacking other nations and unless you're in the you know unless you're in kind of military or government or you're in the business where every single minute of every single
day you know that you're being attacked like this then you take a slightly different approach but i
think to your general general enterprise business or small medium size business that isn't in that
category but could get caught up within it because of by association with another vendor
or by association with a marketing campaign
or a customer that you've onboarded.
If you've got the basics covered,
then that's going to stand you in good stead for whoever's coming your way.
Are there any common shortcomings that you see,
maybe some blind spots that organizations overlook?
There's been a few years of people talking about ransomware is going up and up and up and up.
We're seeing it growing year on year. I think the stats in the last year, it has gone up again.
I think it's gone up again by another 120% in the last year. And all of, you know, the majority of where we're seeing attacks growing
is all targeting the human.
So the human risk is growing for sure.
There's a, you know, the adage out there saying that people are the weakest link,
and I really don't buy into that at all.
I just think people are the most targeted because the attack surface of the human is far far wider so
better return so yeah i think look shortcomings on this i think it's making sure that you're
protecting your your humans within your business and the equipment that those people are using
because by and large it's that equipment that's initially used if you think of an attack an attack doesn't have a it's not all over and done with very quickly it's typically
these types of attacks that we're talking about nation state or sponsored they typically are a
fairly uh convoluted attack pattern so it starts with a point of entry you're then going to um
maneuver within the business and pivot to other other parts of that business once you're inside them until you get to a point where you found something of interest to perform, the payload or whatever it is that your intent is.
So it's typically not just a break through the front door and smash and grab and get out of there.
It's normally quite a drawn out process.
out of there, it's normally quite a drawn-out process. But it usually starts with the person and it usually starts with the person, the user's equipment. So that's one thing that a lot of
companies can spend a lot more time on making sure that they're protecting their humans and
protecting the equipment that those humans are using. That's Miles Hutchinson from Jumio.
And joining me once again is Joe Kerrigan. He is from the Johns Hopkins University Information Security Institute,
as well as Harbor Labs. Joe, it's always great to have you back. Hi, Dave. So we were talking about
some stuff over on the Hacking Humans podcast, which you and I co-host. And I got a message
from our friend, Dr. Christopher Pearson. He's CEO of Black Cloak. Right. And he sent over some
research that they had been doing, I guess a report that they put out about something called a human denial of service attack,
where he received multiple emails, phone calls, and text messages,
and like hundreds an hour.
Okay.
Tons of them.
Just an avalanche.
An avalanche of these things.
And in those emails and phone calls were information from his bank
that somebody was using a cloned credit card,
a debit card to extract money from his bank account.
Okay.
And this research that Dr. Pearson sent over
is akin to that.
And I think Dr. Pearson listened
to the Hacking Human show.
Yeah.
And sent this over.
But Black Cloak has this concept of registration bombing,
which is kind of like automation of that attack.
Okay.
So what happens here is I'm a bad guy, right?
And like bad guys, I often sign up for newsletters.
Right.
Or maybe access to websites.
Okay.
And every time I do that, I notice that when I sign up for a website, xyz.com,
they send me an alert that says, did you sign up for this website? Please confirm by
clicking on this link and we'll validate your email address. Wow, that's useful. A bunch of
other websites do that too. So if I want to obfuscate messages that somebody should be
paying attention to, I'm going to create a bunch of noise and maybe the messages that warn them of my malicious activity will be
lost in that noise. So I automate the process and just have a bunch of bots start going out
and registering for websites. Those websites all send an email to this person's account,
to my victim's account. And then while that's going on, I start conducting my fraud. So they
get an email from their bank that
says, we noticed that you just transferred $2,000 out of your bank account. And hopefully the person
doesn't see it. Because of all the noise. Because of the other noise that's in there. Right. It's
actually a very creative attack. So I'm getting hundreds of emails flooding my box. And in the
midst of that, the bad guys do their thing,
hoping that I will miss the legit one from my bank
or some retailer that I'm working with online,
something like that.
Correct.
How does one protect themselves against this?
This is a tough one, Dave.
I've actually been thinking about this for a while
because since Beau's story,
I've been actually kind of concerned
about this kind of attack.
Uh-huh.
But I think I have a solution
and I haven't tried it yet.
Okay. But what I'm going to do is I'm going to open up an email account just for my financial institutions that I deal with. Anybody I have a credit card with or a bank account with,
I'm going to say, my email address is now this, please use this. And that way, they will send
their emails to that address, which I can monitor on my phone or through my web browser or however.
The key difference being that this is not an email I ever publish to anybody.
I see.
Right?
So nobody ever goes, Joe Kerrigan, oh, he is joesbills at gmail.com.
Right.
Right.
Right.
Right.
They'll do the Google search and they'll find my OG Gmail account and they'll go, oh, there's Joe's email.
I can send him emails and pester him.
Or maybe I can flood his inbox with a bunch of messages.
But they'll flood my inbox with a bunch of messages and I'll still get the email in the financial account in Joe's banking, joesbills.gmail.com.
Yeah.
What I'm wondering about though, because I think some of this happens when credentials.gmail.com. Yeah, what I'm wondering about, though,
because I think some of this happens
when credentials have been compromised.
So say, for example,
your banking credentials were compromised.
That would mean they would have that unique email address
and they would start flooding that.
Ah, okay, that's a good point, Dave.
So maybe that won't work very well.
Well, but you would, I mean,
I think you'd know the jig was up
because you shouldn't be getting email or newsletter registrations
on your exclusive financial email address.
Correct.
So that would be an indicator itself.
An indicator that something was going on.
But getting thousands of those things in an hour
would also be an indicator that something was going on.
Yeah.
Even if it went to my regular Gmail address.
Yeah.
Yeah.
All right.
Well, again, our thanks to Dr. Christopher Pearson from Black Cloak for sending this report over.
The report is titled New Registration Bomb Email Attack Distracts Victims of Financial Fraud.
Worth checking out.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado cozy up with the familiar flavors of pistachio or shake up your mood with an iced brown sugar,
oat shaken espresso, whatever you choose,
your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Thank you. Nick Valecki, Gina Johnson, Bennett Moe, Catherine Murphy, Janine Daly, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, Simone Petrella, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.