CyberWire Daily - Anatsa Trojan's new capabilities. Third-party breach hits airlines. Gas station blues. What’s up with the Internet Research Agency? Infrastructure threats. And DDoS grows more sophisticated.
Episode Date: June 27, 2023Anatsa Trojan reveals new capabilities. Airlines report employee data stolen in a third-party breach. Canadian energy company SUNCOR reports a cyberattack. What of the Internet Research Agency? Micros...oft warns of a rising threat to infrastructure. Joe Carrigan describes an ill-advised phishing simulation. Mr. Security Answer Person John Pescatore takes on zero days. And DDoS grows more sophisticated. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/122 Selected reading. Anatsa banking Trojan hits UK, US and DACH with new campaign (TreatFabric) Anatsa Android trojan now steals banking info from users in US, UK (BleepingComputer) Thousands of American Airlines and Southwest pilots impacted by third-party data breach (Bitdefender) American Airlines, Southwest Airlines disclose data breaches affecting pilots (BleepingComputer) American Airlines, Southwest Airlines Impacted by Data Breach at Third-Party Provider (SecurityWeek) Recruitment portal exposes data of US pilot candidates (Register) Suncor Energy says it experienced a cybersecurity incident (Reuters) Suncor Energy cyberattack impacts Petro-Canada gas stations (BleepingComputer) Canadian oil giant Suncor confirms cyberattack after countrywide outages (Record) Wagner and the troll factories (POLITICO) Cyber risks to critical infrastructure are on the rise (CEE Multi-Country News Center) The lowly DDoS attack is showing signs of being anything but (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Anatsa Trojan reveals new capabilities.
Airlines report employee data stolen in a third-party breach.
Canadian energy company Suncor reports a cyber attack. What of the Internet Research Agency?
Microsoft warns of a rising threat to infrastructure. Joe Kerrigan describes an ill-advised phishing simulation.
Mr. Security Answer Person John Pescatori takes on zero days, and DDoS grows more sophisticated.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, June 27th, 2023.
The Android banking trojan, Anatsa, has expanded its targeting to new banks in the U.S., the U.K., and Germany, according to researchers at ThreatFabric.
Anatsa is delivered via malicious apps in the Google Play Store, and it's been downloaded to collect sensitive information, credentials, credit card details, balance and payment information via overlay attacks and key logging.
This information will later be used by the criminals to perform fraud.
ANATSA provides them with the capabilities to perform device takeover fraud, which then leads to performing actions on the victim's behalf. Since transactions are initiated from the same device that targeted bank customers regularly use,
it has been reported that it's very challenging for banking anti-fraud systems to detect it.
So it's no longer a simple banking trojan.
It's showing potential for imposing much broader effects than it has in the past.
showing potential for imposing much broader effects than it has in the past.
Third-party risk continues to affect organizations of all sizes and across multiple sectors.
This week, airlines are experiencing the challenge firsthand.
A month and a half after learning of a data breach involving their employees,
American Airlines and Southwest Airlines have determined that the incident originated with a third-party vendor,
Pilot Credentials, which both companies used. In a statement sent to employees, American Airlines explained that they had learned about an incident that occurred on May 3, 2023, and subsequently
launched an investigation. They say, according to the third-party vendor, an unauthorized actor
accessed the third-party vendor systems on or around April 30, 2023,
and obtained certain files provided by some pilot and cadet applicants during our hiring process.
The airline further explained that names, social security numbers, driver's license numbers, passport numbers, dates of birth,
airman certificate numbers, and other government-issued
IDs were potentially taken. It's offering two years of Identity Works' identity monitoring
service to all who were affected. Bleeping Computer writes that 5,745 personnel were
affected by the breach. Southwest issued a similar disclosure. On June 23rd, the Office of Maine's Attorney General released a data breach notification for residents affected by the Southwest Airlines breach that put the tally of people affected at just over 3,000.
Southwest is offering a two-year Equifax credit monitoring program to affected individuals.
Sunday, June 25th, the Canadian energy company Suncor
disclosed that it was the victim of a cyber attack.
The company hadn't found any evidence that data
regarding customers, suppliers, or employees were affected.
Leaping Computer reports that the company on Monday
warned users that they might be unable to log into their accounts
and that there was an ongoing issue with customers'
ability to accrue reward points. As of last Friday, many customers were tweeting that it is currently impossible to pay with credit or debit cards at Petro Canada stations,
leaving cash as the only option. The company's car wash season passes also seem to have been
affected. Reuters sought more information from the
authorities, but there was little on offer. They state the Canadian Center for Cybersecurity had
earlier said it was aware of reports of an incident affecting Petro Canada, but said it did not
generally comment on specific cybersecurity incidents. Petro Canada tweeted some partial
reassurance to customers. The gas stations are
all open, but customers may find some services interrupted. Turning to Russia's hybrid war
against Ukraine, in the wake of the Wagner Group's quickly begun, rapidly advancing, and then
suddenly abandoned march on Moscow, people have begun asking what's up with some of Mr. Progozhin's other activities.
What about those trolls he runs, for example? The Wagner Group isn't the only private enterprise
that furnishes deniable support to Russian policy, Politico reminds its readers. There's also Mr.
Progozhin's Internet Research Agency, the notorious St. Petersburg troll farm that drew widespread attention for retailing
disinformation aimed at influencing elections in the U.S. and elsewhere. How it will fare in the
aftermath of its corporate sister's mutiny remains unclear. Politico writes, the Russian oligarch's
empire reaches far beyond a paramilitary mercenary group to also include troll factories used to spread Russian propaganda.
Progozhin has claimed on Telegram to have founded the U.S.-sanctioned Internet Research Agency,
and on another occasion said he has interfered in U.S. presidential elections through the spread
of disinformation. In any case, the mutiny's aftermath can be expected to include heavy
influence operations, directed for the most part at Russian opinion.
Much of Mr. Pogosian's influence operations shade into marketing, particularly in the African countries where his forces remain active.
Lawfare yesterday blogged an assessment of how effective the Internet Research Agency has actually been.
The group's influence has been easy to overestimate,
but it can't be written off either.
So the troll farm remains in business.
Keep your eyes peeled.
Yesterday, Microsoft offered an appreciation
of Russia's likely courses of action
in the cyber phase of its war against Ukraine,
stating,
This what we are experiencing now has become a hybrid war, both kinetic and digital.
The recent and ongoing cyber attacks have been precisely targeted with the aim to bring
down Ukraine's economy and government.
Microsoft Digital Defense Report showed that the number of cyber attacks targeting critical
infrastructure has grown significantly.
The level of sophistication of cyberattacks is permanently evolving.
The continuing convergence of IT and OT networks represents an increasing risk,
especially given the relative fragmentation
and impoverished security of operational technology.
Microsoft says,
We identified unpatched high-severity vulnerabilities
in 75% of the most common industrial controllers
in customer operational technology networks. The company's report concludes with a set of
recommendations that provide organizations with an eight-step approach to improving
infrastructure security. And finally, distributed denial of service, that is DDoS, is showing signs
of growing sophistication.
Normally, it's just been a nuisance, like kids who won't get off your lawn, kids who ought to
know better. One of the experts cited by the Washington Post in a story on that growing
sophistication made an alley-oop comparison. It's caveman stuff, right? And indeed, DDoS has for
some time been both a commodified nuisance
and one of the defining features of Russia's cyber campaign
against countries sympathetic to Ukraine.
Cloudflare CEO and co-founder Matthew Prince told the Post,
in the world of cybersecurity threats,
it's sort of the equivalent of a caveman with a club.
It's not particularly sophisticated, but can obviously do a lot of damage.
What we have seen is that the clubs continue to get bigger, and the cavemen have gone from
knocking down your website, which is embarrassing but may not be all that harmful, to now going
after what can be much more critical. Attacks against the domain name system and layer 7 attacks,
which hit the application layer of a network.
The newly emergent sophistication isn't confined to Russia's cyber auxiliaries,
but it can be expected to manifest itself in that quarter.
Expect Kilnet to put down that club and pick up a baseball bat,
and expect them to get off their dinosaurs and into some cars.
Not some good ones, you understand.
Probably used Ladas, maybe the four-door, kind of the Babushka bomb.
Still faster than most dinosaurs.
Coming up after the break,
Joe Kerrigan describes an ill-advised fishing simulation,
Mr. Security Answer Person John Pescatori takes on Zero Days. Coming up after the break, Joe Kerrigan describes an ill-advised phishing simulation.
Mr. Security Answer Person John Pescatori takes on zero days. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. Mr. Security Answer Person
Hi, I'm John Pescatori, Mr. Security Answer Person.
Our question for today's episode,
seems like every day this year a new zero-day vulnerability has been found in Android, iOS, Windows,
operating systems, or in major
applications. What's going on? Are the software players getting worse at secure software development,
or are the researchers and bad guys just getting better at finding more obscure vulnerabilities?
Let's narrow down the wiggle room before I answer your timely and interesting question.
First, there really isn't just one definition of what
a zero-day vulnerability is. NIST doesn't even have a definition in any of their publications.
The closest is zero-day attack, an attack that exploits a previously unknown hardware,
firmware, or software vulnerability. But that definition doesn't define previously unknown.
Is it unknown by anyone?
Or could it be known by the developer but unknown to the owner of the software, since
no patch or warning of the vulnerability has been provided?
The definition I like to use is closer to what Mandiant uses.
A zero-day vulnerability is one discovered either before the developer does or before
the developer has
provided a patch or mitigation guidance to customers of the impacted software.
Using Mandiant's published statistics, we see 20 zero days were made public in the first quarter
of 2023. But if that rate of zero-day discoveries continues all year, we'd see about 80 zero day vulnerabilities by the end of 2023.
That would be a 40% increase over the 55 found in 2022. That is still a bit below the record
year of 81 zero days that were exposed in 2021. There are two major classes of zero day
vulnerabilities. The first comes from developers making mistakes which are known stupid programming tricks
and should have been avoided.
The frequency of these can and should go down
as responsible software companies make investments
in secure software development lifecycle programs
that include developer training and use of tools
to detect known vulnerabilities in code.
The second class is when security researchers,
either responsible professional ones or criminal ones,
think of new ways to attack code.
We've seen a lot of that happening related to APIs
and common use in modern software.
These are unpredictable and immediately impactful,
but should eventually, ideally quickly,
turn into known stupid programming tricks.
If software was like a big kitty litter box we were cleaning,
obviously we'd like at some point to see nothing new coming up in the little cleaning scoop thing.
But software is more like an infinite beach of sand with new cats moving in
and scratching new pits in the sand all the time.
We are never going to run out of either type of zero-day being found in software.
To build on that analogy...
Actually, I'm going to abandon that analogy before it gets too gross.
Let's focus on what enterprises need to do
to reduce the risk of being damaged by attacks exploiting software vulnerabilities in general.
The first step is raising the security procurement bar
to drive all software vendors to
reduce the frequency of stupid programming tricks showing up in the code you buy from them or
download from GitHub for free. Check out the guidance materials available on safecode.org.
Patching faster to reduce vulnerability windows is a known and still necessary control.
Software whitelisting and application control are the next big pieces.
And those two techniques are widely in use already on mobile operating systems,
which is why we see very limited impact from zero days being found on Android and iOS.
I just can't resist going back to that analogy.
If nothing else, we should all put more pressure on software vendors
to filter their software litter boxes through finer-grained, scoopy things
that remove the nasty stuff before we put food in the software vendors' bowls.
Mr. Security Answer Person. Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on the Cyber Wire.
Send your questions for Mr. Security Answer Person to questions at thecyberwire.com. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host over on the Hacking Humans podcast.
Joe, welcome back.
Hi, Dave.
So our listeners are probably aware that you and I both reside in Maryland.
And not far from us is Fairfax County, Virginia.
Yes.
In fact, you and I have probably passed through Fairfax County in our travels many times.
Yes, it actually shares a river border with the county I grew up in, Montgomery.
There you go.
So there's a recent story in the Washington Post here about something that went a bit awry on the last day of school at Fairfax County Public Schools.
What exactly happened here, Joe?
So here's what happened.
Teachers received an email saying, thank you for your service this year. We have partnered with this company called Company
Rewards to give out gift cards for employees as a thank you for another successful school year.
And the email included a link to redeem for a gift card. But if you click the link, you didn't get a link to a gift card.
You got a link to a phishing training site. So what this is, is Fairfax County is conducting
essentially phishing training by sending in phishing emails that they control to keep employees on their toes.
And this is a good policy in general. But like everything, it has to be done correctly.
And there are companies out there like the sponsor of our show, Nobifor, and other companies as well
that help you do this. You can go out and buy a product and you can provide them with
an email address. They'll generate the emails or you can generate your own emails. And you can
generate emails that are very crafted towards your audience because that is exactly what attackers
are going to do. They're going to craft these emails to look very much like something that
you would receive or you would expect. They're going to
do a lot of open source intelligence gathering, and they're going to use that information
to build something that is highly likely to succeed. So there is something to be said for
the forethought being put into this, but I have said on multiple occasions on this show and on
Hacking Humans that this kind of thing is not the right
thing to do, where you start talking about people's incentives and start talking about
bonuses or other things or layoffs or something like that. That is something you leave to the
bad guys. And rather than conducting these kind of exercises where you send an exercise phishing
email to an employee promising a gift card or something.
You say, we're not going to do that.
We don't think that's ethical,
but the bad guys are going to do that.
And you make that part of your regular security training,
your regular security awareness training.
So every time that you have people
going through this training say,
we're going to be sending out these phishing emails,
but we're not going to do this,
but bad guys will do this. Don't fall for this. We don't give out gift cards at the end of
the year. We, we don't do that. That's not part of your employment contract. We have a contract
to these are, um, I believe these are unionized employees. So they already have a, um, they
already have a clear contract. So it's perfectly fine to say that's not part of your employment
contract. We're, we're, we're just not going to do that. So don't perfectly fine to say, that's not part of your employment contract.
We're just not going to do that. So don't expect that from us. And if you see something that looks like it comes from us, in fact, there's a line at the end of this from Mr.
Walrod, who's actually the president of the teachers union, one of the teachers unions.
He said, we knew this one was real, talking about the apology email that came out from the
superintendent. The superintendent did issue a profuse and profound apology saying that this shouldn't
have been done, which is correct. It shouldn't have been done. But Walrod said that we know
this one wasn't real because he didn't offer us anything, right? Which is kind of the,
you know, he's being tongue in cheek, but, you know, if you're in a union contract,
you know, that contract is binding both ways,
right? Yeah. Yeah. So I think it's okay to say your contract doesn't have these kind of
incentives or these kind of things, so don't expect to see that. So this kind of stems back
from 2020 when Fairfax Public Schools were subjected to a ransomware attack,
something that's happened here in Maryland as well.
I think Baltimore County Public Schools had something happen very similar.
And these kind of things, these guys go after school systems. So school systems are by no means exempt
because they contain an absolute trove of personal identifiable information. If you're looking to get a bunch of
stuff for identity theft, I can think of no better place to look for that than stealing all the
information on all the high school students in the school system. Because these are people who
are going to turn 18 in the next year or four years, you could create a bunch of fake identities around these
people as essentially synthesized personas for them. And yes, that would make their lives more
miserable. But hey, I mean, these criminals need to make a living too, right? Yeah.
So let me ask you this, because I think some of our listeners are probably thinking to themselves that old saying about how you practice like you play.
And, you know, you want to, for a test like this to be realistic, you want to put people in the kind of situation that they might be faced with.
And so we shouldn't go easy on them.
We should send them the things, the hard stuff, you ones that do get their emotions out of whack.
You don't agree with that? I think it depends on the situation.
There are places where I would agree with that. I don't think a school is one of them.
I would be much more willing to go play more hardball in the practice in something that
deals with classified information,
national security, those kind of things. Right. Soldiers rather than teachers.
Right. Yeah. The people, you know, the people with real force, people that have the ability
to use real force, those people I want more sharply trained. You know, that kind of thing.
I think that here with a teacher and at the end of the time of the year, I think the better way to go about this is just a mandatory security awareness training session. Doesn't not going to do this. We're not going to do that. It's all a bunch of hooey if you see it. I think that kind of
reminder is a much more pleasant way to go about doing it than this was. Yeah, absolutely. But I
totally get the reasoning behind it. The reasoning behind it is not invalid. I just don't think it's,
this is not a cut and dry situation. So, you know, I will argue this point with people and I will not call people that disagree with me wrong on it.
I'll just say that I'm more correct.
Yeah, I think in this case, it's ultimately corrosive with your coworkers.
It is.
You got to be sensitive.
Yes.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave. Thank you. smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Urban and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.