CyberWire Daily - BEC attack exploits Dropbox services. Ransomware in the name of charity. API protection trends. Hybrid war hacktivism. Executive digital protection.
Episode Date: May 18, 2023Business email compromise (BEC) exploits legitimate services. A hacktivist ransomware group demands charity donations for encrypted files. Trends and threats in API protection. The effects of hacktivi...sm on Russia's war against Ukraine. Executive digital protection. Deepen Desai of Zscaler explains security risks in OneNote. Our guest is Ajay Bhatia of Veritas Technologies with advice for onboarding new employees. And news organizations as attractive targets. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/96 Selected reading. Leveraging Dropbox to Soar Into Inbox (Avanan) MalasLocker ransomware targets Zimbra servers, demands charity donation (Bleeping Computer) Shadow API Usage Surges 900%, Revealing Alarming Lack of API Visibility Among Enterprises (Business Wire) APIs are Top Cybersecurity Priority for Most Organizations, Yet 40% Do Not Have an API Security Solution (PR Newswire) Evolving Cyber Operations and Capabilities (CSIS) Following the long-running Russian aggression against Ukraine. (The CyberWire) Executive Digital Protection whitepaper (Agency) The Philadelphia Inquirer’s operations continue to be disrupted by a cyber incident (The Philadelphia Inquirer) Cyberattack at the Philadelphia Inquirer. (The CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Business email compromise exploits legitimate services.
A hacktivist ransomware group demands charity donations for encrypted files.
Trends and threats in API protection.
The effects of hacktivism on Russia's war against Ukraine.
Executive digital protection.
Deepen Desai from Zscaler explains security risks in OneNote.
Our guest, Ajay Bhatia of Veritas Technologies, with advice for onboarding new employees.
And news organizations as attractive targets.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, May 18th, 2023.
Avanon reported this morning that a business email compromise campaign is abusing legitimate Dropbox services.
BEC 3.0 is a social engineering approach
that takes advantage of legitimate services to gain entry to its targets.
This campaign, in particular, works by sharing a fake resume through Dropbox
and leading victims to a false login link to open the document.
If the user shares their credentials,
they will also be led to a malicious link that could further compromise their system.
A new ransomware group has been seen operating in the name of the less fortunate, or at least
it says that's what it's doing. The hacktivist group encrypts files on its victims' computers
and demands the company affected donate to a charity group of its choosing to receive the decryption key.
Bleeping Computer reports that the ransomware operation Malice Locker began encrypting Zimbra servers toward the end of March 2023.
Victims reported in both the Bleeping Computer and Zimbra forums that their emails were encrypted.
Mollus Locker posted its manifesto on its dark web leak site,
in which the group states that they are waging war on the rich to promote equality.
Their motto, it seems, as reported by Bleeping Computer, roughly translated to English, says,
We are bad. We can be worse.
translated to English, says,
We are bad. We can be worse.
One simple question that comes to mind is,
how are the hackers verifying that the company's donated?
Simply put, Malice Locker doesn't have a verification method.
On their website, they write, We have no real guarantees they are actually sending the money.
Malice Locker hasn't yet been associated with any larger organizations,
and the methods they use to obtain access to their targets remain a mystery.
And it's unclear what charities, if any, might actually want to be the beneficiaries of such campaigns.
Sequence Security released its API Protection Report for the second half of 2022.
The report highlights the tactics,
techniques, and procedures of malicious actors targeting APIs. Shadow APIs, defined by the
researchers as unmanaged, unknown, and unprotected APIs, saw a 900% increase from the first half of
2022 to the second. Unique TTPs saw a 550% increase over the holidays. Additionally, researchers
observed a 220% increase in API security over traditional application security tactics
in the same period. Traceable AI also discussed the state of API security in a report this morning
prepared at this year's RSA conference. API security remains a major point of concern
as researchers say they determined that 40% of companies
do not have dedicated professionals or teams for API security,
while 23% of respondents do not know
if there is dedicated API security in their organization.
Many respondents, 66%, report struggles with API
sprawl, or in some cases don't know if their company is adequately managing it.
Hacktivism may be the most influential propaganda method in the era of the hybrid war.
A study published this morning by the Center for Strategic and International Studies
addresses various aspects of the war in cyberspace. One of the report's essays looks at the use of
proxies, that is, deniable hacktivist or criminal groups that serve as cyber auxiliaries under the
direction of state authorities. That direction can be relatively loose or relatively stringent.
The essay takes two representative
groups, the IT Army of Ukraine, who operates in the interest of Kiev, and Kilnet, who works under
Moscow. It sees similarities in the effects they've achieved and concludes that the proxies
have had the most significant effect in terms of propaganda. The proxy's records, the study concludes, suggest that
they're best understood as influence operations. Cybersecurity company Agency has released an
executive digital protection white paper discussing the protections of high-value assets and targets
within an organization. Securing the digital lives of executives, or executive digital protection, as agency calls it,
is increasingly being observed as part of the cybersecurity strategy within organizations
to fight against employee-targeted digital risks.
The White Paper emphasizes that there are other individuals within organizations
who may not be executives, but who may fill a public-facing high-risk role
or work within an executive's inner circle.
These, too, may require protection.
The report also advises a program broadly addressing protection
rather than honing in on specific narrow risks.
For an effective solution,
agency recommends focusing on options
that balance breadth, value, privacy,
and specialization. And finally, the Philadelphia Inquirer was hit by a cyber attack last week
that interrupted its news publications, and the paper has continued its investigation and recovery
since then. The Inquirer wrote that it had been unable to print its regular Sunday newspaper,
and it was not clear until late Sunday afternoon that it would be possible to print Monday's
editions of the Inquirer and Daily News. Online stories were said to continue, though sometimes
at a slower pace than usual. The paper reported that employees would be barred from entering its
main office, which could impact the paper's coverage of the Democratic primary for the mayoral race.
Coming up after the break, Deepan Desai from Zscaler explains security risks in OneNote.
Our guest is Ajay Bhatia of Veritas Technologies
with advice for onboarding new employees. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Onboarding new employees often involves a lot of moving pieces
with information gathered, policies put in place, access granted, and so on.
Ajay Bhatia is General Manager for Data Compliance and Governance at Veritas Technologies.
I spoke with him about best practices for how companies can ensure data protection and compliance
while navigating the challenges of onboarding new employees.
We've kind of seen multiple phases here in quick succession,
which is the great resignation, the great hiring, the great firing,
the quiet quitting.
With the quick employee turnover fueled by these phenomena
and the rise of a new workplace culture,
companies are hiring and onboarding new employees at a very rapid pace.
We must find a way to quickly and efficientlying new employees at a very rapid pace.
We must find a way to quickly and efficiently onboard new hires.
But unfortunately, sometimes this means many essential trainings,
policy reviews, and new employee guidelines can sometimes slip through the cracks.
Can we go through some of the things that folks typically have to work through here?
I mean, off the top of my head, I can think of, obviously, you're setting up an email address for someone, for most people, that sort of thing.
What other things are typically on that list?
Yes.
So I think one of the few things is ensuring that new and existing employees are aware of the complicated risk landscape. Because after the pandemic, we've got a remote workforce that further complicates the ability for organizations to be able to track where their data is and also be able to respond to active threats such as ransom attacks and phishing that are now targeting the entire workplace data.
And so getting a good handle on that is essential to avoiding expensive and detrimental complications.
So beyond setting up email, welcoming the employee, I think some of the best practices for how companies can ensure protection of their data, and also compliance on the data when onboarding new employees,
I would say it's in a couple of buckets.
One is to implement mandatory trainings to be completed within the first two months of employment,
ensuring that all receive the necessary information on the potential risks and strategies
that bad actors use to
implement phishing attacks and how these attacks can lead to various outcomes, such as non-compliance
penalties and some complications in the way we manage data. The second, I would say, best practice is set usage guidelines on the collaboration tools.
So we found out that more than 70% of office workers globally admit to sharing sensitive
and business-critical company data using IM, business collaboration tools, Teams, Zoom,
and other sources of content generation. I think it's essential that companies
set information sharing policies that account for those kind of tools, and even the new ones like
chatbots, to combat new risks. You know, we often hear of this notion of shadow IT, where, you know,
if people don't have the tools they think they need to get the job done,
they'll find a workaround. It strikes me that that could be a component here, that part of this is
educating your employees that if they need to be able to do something and they feel like there's
a roadblock there, they need a pathway to be able to sort that out without taking matters
into their own hands. I fully agree there, Dave, because at the end of the day, for any company, it comes down
to managing data and assets in a manner that increases the value of the data but reduces the
risk quotient. Because if companies don't do that, then some of the evolving changes in regulation,
as well as the problems posed with the shadow IT situation, can be a challenge to profitability in years to come.
Because we need to closely monitor how employees handle and share and store different types of data. Some of it could be what we call as personally identifiable information, or PII,
health, financial, and proprietary information. All of these need to be able to manage in a way
that we ensure compliance also
with data privacy regulations, not just in the United States, but across the globe if the company
is a multinational. So I think IT professionals feel that additional pressure on their workload
to keep up with this. We can somehow implement three tactics to gain visibility that would definitely
set up any organization for long-term success. And then some of these are done with AI and ML
ops at scale. I would say the three tactics I would nominate are, number one, identifying and
categorizing dark data. So on average, more than half of a company's data is dark.
And aside from costing above, I would say, $30 to $40 million a year just in the storage burden,
this dark data poses significant risk to our compliance efforts,
especially when it's hiding in an image, audio, or video generated by some of the newer collaboration tools.
And how do you define dark data?
So dark data can be something that we have no clue what it is.
We've consumed it.
It shows up in a storage envelope.
There could be immense value in it,
or there could be immense risk in it.
It's data that is not classified. It is data that is not transcribed.
It's data that is not enriched with any other
metadata tags on it to exactly say what it is, whether it is relevant and active, whether it is
irrelevant and active, whether it's irrelevant and inactive, or whether it's redundant, obsolete,
and trivial, or rot, like we call it. So it's data that has not been processed. It's sitting there. And like I said, it could be
a value or a risk. Most often than not, it ends up being a risk factor for most companies.
And so what are the other elements that you were discussing?
I would say beyond identifying and categorizing dark data, The second one is automating a classification system.
So we just talked about the need to classify all of this data.
And as humanity, we're producing data at a rate of more than
500 exabytes per day, according to some of the IDC reports.
And so to really manage and categorize all of this data,
companies that they collect and generate, they need to implement automation so that it can be managed through its lifecycle of capturing it, classifying it, contextualizing it, and then being able to decide whether you want to back it up, archive it, use it for monitoring your utilization, as well as in any litigation support eventually.
The third aspect, because now it's so ubiquitous, then you have to democratize the data classification,
which means it's not just an IT or legal team responsibility.
Any part of a business can be at risk of failing to comply.
And so individuals outside of the IT team should be able to classify their own content.
So those would be my three areas, Dave, identifying and categorizing the dark data, automating the classification system, and then democratizing the data.
That's Ajay Bhatia from Veritas Technologies. And I'm pleased to welcome back to the show Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, always a pleasure to welcome you back. I know you and your colleagues have had an eye on OneNote lately and the potential here
for it to play a part in malware distribution. What exactly are you all tracking here?
Thank you, Dave. Yes, so OneNote documents, we're starting to see more and more threat actor groups referring to malware families starting to leverage OneNote documents to distribute malware.
So they're abusing the fact that you're able to execute several scripting files by embedding them inside OneNote documents.
And how exactly are they going at this? And how do people find themselves victims here? files by embedding them inside OneNote documents.
And how exactly are they going at this?
And how do people find themselves victims here?
So the victim part starts as usual.
Like what we've seen in the past is you will see an email that contains a link pointing to an Office document.
to an Office document, they were heavily abusing Microsoft Office doc files, XLS files. But Microsoft, in July 2022, did an update where they disabled macros by default for
Office documents.
And this made the approach not reliable for these guys when they were trying to attack these victims using malicious macro-enabled documents.
This is where the TTPs remain the same.
They identify the victims.
They go after them.
They will send an email with a link pointing to a document or the document attached to the email itself.
There's some level of social engineering involved there.
itself. There's some level of social engineering involved there. One example that I can give you actually for that starting point is a campaign where we saw a reply email team. So reply email
team is where they take an existing email thread and they will reply to that thread and attach this
malicious document. So one of the users' account obviously is compromised at that point,
but now they're trying to establish persistence into the end machine as well.
So this is where OneNote is now becoming the go-to mechanism
for distributing this malware because the security mechanism that got updated in July breaks the
attack chain for Office documents. So they're now using OneNote to achieve similar results
where they will have scripts like CHM, HTA, JavaScript, VBS, which is Visual Basic Scripts.
JavaScript, VBS, which is Visual Basic Scripts, they can run these scripts by embedding them inside OneNote document.
So is this the classic case of whack-a-mole here,
where perhaps now Microsoft needs to take a look at disabling this functionality by default?
Yeah, I mean, it is always the case.
They will continue to evolve.
Security vendors will continue to evolve.
And all these application vendors will also have to continue to evolve.
There will be certain things that you will have to do as part of your proactive defenses.
And then there are things that you will end up doing reactively when the other group identifies some loopholes.
So again, in this case, I mean, there are, Microsoft already acknowledged they're working
on something to probably strengthen this area as well, but there are existing policies that
can play a role as part of that proactive defense that I was talking about. So you could configure a group policy, for example,
to protect against malicious Microsoft OneNote files.
You could basically block embedded files in this OneNote altogether
using these group policies.
Again, Dave, the flow is you get a phishing email,
there is a OneNote attachment, which has an embedded scripting file which is
where the damage starts the document will open some decoy pdf file or document or the user will
not see what's going in the back end but in the back end that that scripting file will download
a dll and lead to the actual end malware so in this, we have seen three different families already.
When I say family, three different groups of families.
So one is banker malwares, another is stealer malwares,
another is rat.
Even prominent groups like Imhotep, Quackbot,
they've all started leveraging OneNote
as a means to distribute the DLL files.
All right. Well, the cat and mouse game continues.
Deepan Desai, thank you so much for joining us.
Thank you, Dave.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.
We'll see you back
here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.