CyberWire Daily - Callback phishing offers to solve your problem (it won’t). Mustang Panda’s recent activities. DEV0569’s malvertising campaign. 10 indicted in BEC case. Developing a cyber auxiliary force.
Episode Date: November 21, 2022Luna Moth's callback phishing offers an unpleasant and less familiar form of social engineering. New activity by China's Mustang Panda is reported. DEV0569 is using malvertising to distribute Royal ra...nsomware. US indicts 10 in a business email compromise case. Developing a cyber auxiliary. Dave Bittner sits down with AJ Nash from ZeroFox to discuss holiday scams. Our own Rick Howard speaks with us about cloud security. And beware of Black Friday scams. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/223 Selected reading. Threat Assessment: Luna Moth Callback Phishing Campaign (Unit 42) DEV-0569 finds new ways to deliver Royal ransomware, various payloads (Microsoft Security) Earth Preta Spear-Phishing Governments Worldwide (Trend Micro) EXCLUSIVE: Rounding up a cyber posse for Ukraine (The Record by Recorded Future) Tech for good: How the IT industry is helping Ukraine (Computing) 10 Charged in Business Email Compromise and Money Laundering Schemes Targeting Medicare, Medicaid, and Other Victims (US Department of Justice) Black Friday and Cyber Monday risks. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
LunaMoth's callback phishing offers an unpleasant and less familiar form of social engineering.
New activity by China's Mustang Panda is reported.
Dev 0569 is using malvertising to distribute royal ransomware.
U.S. indicts 10 in a business email compromise case.
Dave Bittner sits down with A.J. Nash of ZeroFox to discuss holiday scams.
Our own Rick Howard speaks with us about cloud security.
And folks, beware of Black Friday scams.
From the CyberWire studios at DataTribe, I'm Trey Hester, filling in for Dave Bittner
with your CyberWire summary for Monday, November 21st, 2022.
Palo Alto Network's Unit 42 is tracking a large callback phishing campaign they call Luna Moth. The criminals
behind the operation are using legitimate tools to exfiltrate data with a view to using it for
extortion of the data's owners. Unlike classic phishing, which tries to get the victim to
execute a malicious package in the phishing email itself, callback phishing, as the name suggests,
requires the victim to get in contact with the attacker. The attacker then uses social engineering to trick the victim into granting access to a system
or transferring money. An email with a legitimate PDF pretending to be an invoice for an unwanted
subscription is received, and instead of carrying malware, that PDF carries a callback phone number
the victim is asked to contact. There's a kind of organizational two-step involved,
Palo Alto explains. Quote, the initial lure of this campaign is a phishing email to corporate
email addresses with an attached invoice indicating the recipient's credit card has
been charged for a service, usually for an amount under $1,000. People are less likely to question
strange invoices when they are for relatively small amounts. However, if people targeted by these types of attacks
reported these invoices
to their organization's purchasing department,
the organization might be able to spot the attack,
particularly if a number of individuals
report similar messages, end quote.
Once on the phone, the scammer will persuade the victim
to allow permission to manage their device
and cancel the subscription.
Once they're in, the crooks steal data and proceed to familiar extortion.
Quote,
The phishing email is personalized to the recipient,
contains no malware, and is sent using a legitimate email service.
These phishing emails also have an invoice attached as a PDF file.
These features make a phishing email less likely to be intercepted by most email protection platforms.
End quote.
After exfiltrating the data, the attackers email the compromised organization and demand a ransom.
The ransom amounts vary depending on the organization's revenue
and range from around $30,000 to over $1 million worth of Bitcoin.
It will come as no surprise to learn that Unit 42 says the scammers don't always follow through with their promise to provide proof that the stolen data have been deleted.
Not that you'd trust any offer of proof, of course, but, you know, just in case a friend might ask.
On Friday, Trend Micro described recent campaigns by Mustang Panda, or Earth Preda as Trend Micro calls it, a threat group associated with the Chinese government.
PRETA, as Trend Micro calls it, a threat group associated with the Chinese government.
The cyber espionage campaign abused fake Google accounts to distribute the malware via spear phishing emails initially stored in an archive file and distributed through Google Drive links.
Quote, these links served as lures to induce the victims to download malware that would be
used against them in cyber espionage campaigns. Australia has been most heavily targeted,
but Myanmar, Japan, Taiwan, and the Philippines have also received a great deal of attention.
The current campaign, however, has not been confined to those countries.
Its spearfishing has been observed at lower levels in many other parts of the world.
Mustang Panda appears to engage in extensive reconnaissance and to spend some time in
getting the target
to regard its persona as familiar. Most of the documents used as fish bait are written in Burmese,
and the targets are overwhelmingly government agencies, especially those engaged in research.
Three distinct malware strains are in use. Pubload, a stager, Tonins, an installer for backdoors,
and Toneshell, the principal backdoor deployed in the campaign.
Sensitive documents stolen in earlier stages of the attack are subsequently repurposed as fish bait for subsequent phases.
Microsoft has identified a relatively young ransomware cluster of threat activity, Dev0569, first noted in August,
which is distributing the royal ransomware strain using both malvertising,
in this case malicious Google ads, and phishing as an infection vector. Recently, dev0569 has been seen using malicious Google ads, a better way to blend in with ordinary ad traffic.
Initial access to compromise accounts seem generally to be obtained via a boatloader
delivered Cobalt Strike beacon implant. It's also been been using NSudo, an open-source tool that has some success interfering with antivirus solutions.
The methods are complex and innovative, but InfoSecurity magazine observes that they also bear some resemblance to Emotet operators' use of ICED-ID.
We note in full disclosure that Microsoft is a CyberWire partner.
We note in full disclosure that Microsoft is a CyberWire partner.
On Friday, the U.S. Department of Justice announced the indictment of 10 individuals on charges related to fraud that targeted Medicare, state Medicaid programs,
private health insurers, and numerous other victims.
Specifically, the charges allege wire fraud, business email compromise, and money laundering.
In the aggregate, victims lost, the DOJ says, some $11.1 million. The
alleged fraudsters concentrated on diverting payments intended for hospitals. Much of the
attention given to Ukraine's methods for marshalling non-governmental actors to its cyber
defense has focused on the IT army of Ukraine, effectively an auxiliary of regular government
agencies. Recorded Future describes
another aspect of that defense, direct assistance received from Western tech companies.
Quote, dozens of companies from U.S. cybersecurity, threat intelligence, and the tech world from
Mandiant to Microsoft have banded together in a kind of volunteer cyber posse, waiting into the
middle of the conflict without a pretense of neutrality. End quote.
The companies have organized themselves as the Cyber Defense Assistant Collaboration,
and this mode of constructing public-private partnerships for cybersecurity,
particularly in wartime, merits serious study to extract lessons learned.
And finally, attention shoppers, Black Friday is by tradition this Friday,
the day after the U.S. Thanksgiving holiday.
It's when many American consumers start their holiday shopping in earnest.
And the darkness imputed to the day comes, we think, from the grim experience of shoppers throwing elbows at brick-and-mortar doorbuster sales. And the somewhat more recent tradition,
Cyber Monday, follows three days later, and people go online for the same purpose,
only the elbows are being thrown virtually. Both days have swollen into weeks, driven by season creep and marketing
imperatives, but they do tend to peak on their customary dates. But online scammers haven't
waited, however, and they've been preparing their fraud for well over a month. So friends,
be wary and be alert. Shoppers, if it sounds too good to be true, well, it probably is.
Coming up after the break, AJ Nash from ZeroFox discusses holiday scams,
and our own Rick Howard speaks with us about cloud security.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Hard to believe the holidays are upon us,
which for many means getting together with friends and family
and shopping online for gifts for loved ones.
A.J. Nash is Vice President of Intelligence at ZeroFox,
and I checked in with him for insights on the types of online fraud activity he and his colleagues are tracking.
This year in particular, when you're dealing with an economy that's been challenging, so people are more inclined to believe the not believable deal than they might in some years because people are really trying to get a great deal.
A lot of folks are.
So you have that combined with some challenges in the social media space
with validation and verification of companies, of people.
That's a really dangerous situation in terms of being defrauded.
So we always talk about if it's too good to be true, don't believe it.
That's old advice. I think our parents have told us that through our kids, but we, we talk ourselves
out of that, uh, sometimes, you know, and, and, you know, certainly I don't think anybody's going
to buy a Ferrari for $15 on the internet, but you know, that $150 item that is the hot item this
year that your kids or your, your significant other really, really wants, you might convince yourself $40 is
possible now, whereas it's probably not.
So I think that opens the door for more opportunities for criminals, unfortunately.
And so they're going to leverage social media.
They're going to put out advertisements that are false advertisements that might be tied
to social media accounts that look valid.
They may even have that advertisement that takes you to a link to another website that
looks valid. They may even have that advertisement that takes you to a link to another website that looks valid. It's not that hard to set up a website that looks legitimate or buy a
domain that looks like it's the right domain but has a slight typo in it or they used a lowercase
L instead of an I or something like that. And then they're going to steal your information.
That's what it comes down to. Criminals steal your information or they're going to steal your
money and sell you something that doesn't exist.
So I think we're going to see, unfortunately, I think it's going to be a pretty big year for criminals.
It's a big year for retail, and I think it's going to be a big year for criminals as a result.
What about the platforms themselves?
I'm thinking of places like Facebook Marketplace or eBay or even Amazon itself.
eBay, or even Amazon itself. I mean, what sort of progress have you seen them making, if any,
year over year when it comes to tamping down on some of these fraudulent actors?
Yeah, that's a great question. All of those environments have fraud, but all of those environments have put a lot of effort into it. Those companies have worked very hard at this.
They've partnered with companies who are focused on this and worked diligently to bring these down.
The problem is just a matter of volume.
Amazon is the world's largest retailer.
For all of their efforts,
there's going to be some things
that consumers still have to look for.
It's just the nature of it.
But I would say,
I personally have seen great improvements
from all the companies you just mentioned.
They've invested heavily,
for what it's worth,
I hope I'm allowed to say that,
in intelligence and in cybersecurity
and in counter-fraud technologies. They're always looking for a new way to identify
fraud and take action, up to and including law enforcement. These companies know this
impacts their business, so it's certainly in their best interest to keep fraud to a minimum
on their sites. In most cases, the folks I've talked to about this, they actually care about
the customers.
Genuinely, I know people might be surprised to hear that.
It's not just about making money.
The folks we talk to want customers not to be defrauded because those customers include their family and their friends and everybody they know, too.
So it matters.
And I've seen a lot of effort by all the companies you were talking about to really go heavily into this space, to invest in resources internally, to partner with
great companies who are capable of rooting these things out, and again, to take actions, to really
go to the far end, to try to prosecute when possible, especially for some of the larger
criminal enterprises, criminal rings of fraud. They're going at it pretty hard. These companies
care about this. But as a consumer, we have to understand it's still going to exist. The
companies have to do the best they can, and their due diligence, I believe, exists. But as consumers,
we still have to look to and be careful and understand the signs of a scam. We have some
responsibilities too. As the holidays approach, a lot of us will be getting together with our
families and our friends. And I think a lot of those folks rely on us for expertise when it comes to these things, these things that
they consider to be technical, I think like online shopping and online fraud and all that sort of
stuff. Any words of wisdom there in terms of the messages that we should be sharing with our
less technically savvy loved ones? Yeah, I mean, that's a great question,
right? Every time I visit family, first I have to explain to them how I can't actually fix their
computer because that's not what I do. But I'm sure everybody has that too. Just some things
are just settings. You know, how do I make the volume a different sound? But when you get into
these things, yeah, I think, you know, some things that everybody can appreciate and understand,
right? If it's too good to be true, again, reminding people of the tried and true, if it's too good to be true, it is. I mean, almost certainly. You know,
if somebody reaches out to you that you didn't anticipate, if there's unsolicited email,
unsolicited text message with this great thing, it's probably a scam. You know, there's, with all
due respect to anybody and everybody listening, none of us individually are that important,
all right? Nobody's reaching out to us specifically
because we're special and they want to help us out
with this great, amazing deal.
We've got to recognize that, right?
Not clicking on links, of course.
If you're looking at a deal on, say,
one of the websites you mentioned that hosts retail,
it doesn't take much time or effort to open a browser
and do a little research on the company,
look for backgrounds, see what else is out there,
see if they're a legitimate company, look for,
you know, reviews, which we all do, uh, certainly within a site like an Amazon, but you also
look other places for reviews.
I tend to look at two or three different sources for reviews, um, can, can really help you
sort that out.
Don't give away personal information.
Of course, we all know this one, right?
Uh, you know, if somebody is asking and they're, especially if they're pushy about personal
information, it doesn't make sense.
Don't, don't allow it. In the event that you purchase something,
there's something called a non-delivery scam, where somebody may impersonate a retailer,
might even set up a fake website. If you buy something and you don't get a tracking number,
that's a sign, and you might want to take action early to prevent the fraud from going through.
Most of our credit card companies, thankfully, are pretty protective of us. There's other
services like PayPal that are as well.
If you get to this early enough, you might be able to reverse a charge.
So also, that's an indicator.
If you thought you weren't sure and you took the chance anyway,
and now you can't get a tracking number and nobody's responding to your emails,
don't wait.
Assume that that's going to be a scam and go right to work with your credit card company
and have them shut that off.
If it turns out it's not a scam, you've inconvenienced a seller,
that's a safe effort for us to take on. I think those are a handful of things
that we can tell people that I think people can connect to and understand. You know, when in doubt,
due diligence is really important. And again, you know, the last bit we all know is just because
you read it on the internet doesn't mean it's real. I don't care what site you're on. I don't
care, you know, and I don't care if it seems real. Oh, this guy's really excited about it on Facebook and I followed him
on other things and he's interesting. It doesn't mean it's real. If somebody else who doesn't have
any expertise tells you, no, I just bought it. It's great, but they haven't received the thing
yet. Don't run out and buy the thing. You know, it's, we've got to, unfortunately, we've got to
take a pause and take a second. I don't know what the hot item is this year. And I'm old enough to remember when it was Tickle Me Elmo or Cabbage Patch Kids or
whatever, right? I'm sure there's something like that this year. And I'm sure people are desperate
for it. Whatever that thing is, those hottest items are the ones that we have to be the most
careful about. That's AJ Nash from ZeroFox.
It is always a treat to welcome back to the show the CyberWire's own Rick Howard.
He is our chief security officer, also our chief analyst. Rick, welcome back. Hey, Dave.
So for this week's CSO Perspectives show, you are rolling out another one of your popular Rick the Toolman episodes, and this one is on... I love these.
Yeah, me too. These are on cloud security. What do you got in store for us?
Well, Dave, as you know, I am a sucker for good information design.
You know, I was brought up back in the day on the Edward Tufte School of how do you convey
complex information either on a page or a slide or a web page in some efficient manner,
but providing as much intelligence as possible to help leaders make decisions with.
Are you familiar with Dr. Tufte, Dave?
Have we talked about him before?
I am actually familiar with him, yes.
I have a couple of dear friends who went to art and design school,
so they turned me on to him.
Our boss. Yeah.
In fact, as I look across at our CyberWire library of books,
there are several of his books that are in our library here.
So, absolutely familiar with his stuff and certainly
admire and appreciate it. Well, he does this American City tour every year, and it's an
eight-hour seminar that's relatively cheap. And at the end, you get to take home all four of his
books. I've been to it twice, and I highly recommend it. So, when I see a great example
of information design, I stop what I'm doing and take a moment to take a look at it.
Yeah, I'm the same way. You take a moment to take a look at it.
Yeah, I'm the same way. You know, over in our CyberWire Slack channels, you were saying that the Intel team from a company called Expel, which I believe is a software as a service delivered
SOC service, they had produced a one-pager for both AWS and GCP about how cyber bad guys had traversed the intrusion kill chain using APIs.
I know, and I love it.
It's on one page.
The Expel Intel folks lay out the MITRE ATT&CK TTPs
used by the adversary campaigns,
the cloud providers' services those campaigns leverage,
the associated identity and access management services
they subvert,
and all the API calls used in the campaign. So, in this Rick the Toolman episode of CSO Perspectives,
I interview the senior intel analyst at Expel to talk about how to use the chart in your day-to-day operations. All right. Well, that is over on the pro side. What episode are you publishing on the
public side? In the public feed, we publish CSO
perspective shows from the archive. It's called CSO Perspectives Public. Who knew? You know,
that's a really great name. Clever. So this week's show is from February of this year. I'm talking to
Amanda Fennell, the CIO and CSO of Relativity, about how to manage the risk of the software supply chain.
Yeah, always time well spent chatting with Amanda.
She has her own podcast that's hosted here on the CyberWire Network.
It's called Security Sandbox.
I have always enjoyed every conversation I've had with her.
Yeah, it's a great show, and she's one of the shining lights in our industry.
And since Relativity delivers its services as a SaaS product,
she knows a little something
about how to reduce the risk
of the software supply chain.
Good stuff.
Before I let you go,
what is the phrase of the week
over on the WordNotes podcast?
So this week we're talking about
the history of the domain name system
and how it works.
This little system
that practically nobody pays attention to
except for network managers and nerds like me who like Internet history.
But it's the lubricant that makes the Internet work, and it's so complicated.
So we try to make it understandable to the layman's point of view this week.
All right. Sounds good.
Rick Howard, he is the CyberWire's chief security officer and our chief analyst,
but most importantly, he is the host of the CSO Perspectives podcast.
Rick, great talking to you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios
of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is Elliot Peltzman,
Brandon Karpf, Eliana White,
Rupra Kosh, Liz Irvin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Maria Vermasis, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Catherine Murphy,
Janine Daly, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella, and I'm Trey Hester filling in for Dave
Bittner. Thanks for listening. See you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.