CyberWire Daily - CISA warns of Telerik vulnerability exploitation. Cloud storage re-up attacks. Phishing tackle so convincing it will deceive the many. Cyber developments in Russia's hybrid war.
Episode Date: March 16, 2023Telerik exploited, for carding (probably) and other purposes. Cloud storage re-up attacks. Cybercriminals use new measures to avoid detection of phishing campaigns. "Winter Vivern" seems aligned with ...Russian objectives. Microsoft warns of a possible surge in Russian cyber operations. Boss Sandworm. Johannes Ullrich from SANS talking about malware spread through Google Ads. Our guest is David Anteliz from Skybox Security with thoughts on federal government cybersecurity directives. And don't fear the Reaper. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/51 Selected reading. Threat Actors Exploited Progress Telerik Vulnerability in U.S. Government IIS Server (Cybersecurity and Infrastructure Security Agency CISA) Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA: Federal civilian agency hacked by nation-state and criminal hacking groups (CyberScoop)Â US govt web server attacked by 'multiple' criminal gangs (Register) The Cloud Storage Re-Up Attack (Avanan) Threat Spotlight: 3 novel phishing tactics (Barracuda) Winter Vivern | Uncovering a Wave of Global Espionage (SentinelOne) Is Russia regrouping for renewed cyberwar? (Microsoft On the Issues)Â A year of Russian hybrid warfare in Ukraine (Microsoft Threat Intelligence) Russian hackers preparing new cyber assault against Ukraine - Microsoft report (Reuters) Microsoft Warns Russia May Plan More Ransomware Attacks Beyond Ukraine (Bloomberg) This Is the New Leader of Russia's Infamous Sandworm Hacking Unit (WIRED)Â What's known and not about US drone-Russian jet encounter (AP NEWS) Russia tries to retrieve downed US drone in Black Sea (The Telegraph) Downed U.S. drone points to cyber vulnerabilities (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Terralik is exploited for carding and other purposes.
Cloud storage re-up attacks.
Cyber criminals use new measures to avoid detection of phishing campaigns.
Winter Viverne seems aligned with Russian objectives.
Microsoft warns of a possible surge in Russian cyber operations.
The boss sandworm.
Johannes Ulrich from SANS talking about malware spread through Google Ads.
Our guest is David Antelese from Skybox Security
with thoughts on federal government cybersecurity directives.
And don't fear the Reaper.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 16th, 2023. We begin with a report of the widespread exploitation of a vulnerability in Progress Telerik,
a tool suite used for cross-platform application development.
Multiple threat actors, including at least one APT group,
were able to compromise a U.S. federal civilian agency
via a known Progress Telerik vulnerability in an IIS server,
according to a joint advisory released by CISA, the FBI, and the MSI SAC. The advisory notes that
the vulnerability allowed the attackers to execute code on the agency's web server.
The organization's vulnerability scanner failed to detect the vulnerability. Due to the Telerik UI software being installed in a file path, it does not typically scan.
CISA notes that a nation-state actor and a cybercriminal group both exploited the vulnerability.
CyberScoop says the criminal gang, known as XE Group, is known for card skimming.
The incident amounts to a software supply chain attack.
Avanon this morning released a report detailing an attack
that threatens deletion of personal files for the purpose of credential harvesting.
Researchers share that the attack begins with a phishing email.
The email says that the user's cloud storage is full
and provides a link to get 50 more gigabytes for free.
Of course, the link does not go to a legitimate cloud file storage site.
Rather, it's a malicious link to a credential harvesting site.
The site tells users to validate their account by inputting their credit card number,
which will be charged by the threat actors and taken if entered.
Barracuda has published a report looking at three novel phishing tactics being leveraged
by cybercriminals. Attackers are using Google Translate links, image attachments,
and special characters to evade detection. The researchers found that during January 2023,
13% of organizations received
phishing attacks that abused Google Translate. They state, attackers use the Google website
translate feature to send Google-hosted URLs embedded in emails that ultimately lead to
phishing websites. In this type of attack, the attacker relies on a translation service to deceive the victim and hide the actual malicious URL.
Google Translate is the most widely used service, but our security analysts have also seen similar attacks hosted behind other popular search engines as well.
Sentinel Labs reports on recent activity by a quiet and relatively overlooked APT
tracked as Winter Wyvern.
The report this morning said,
Our analysis indicates that Winter Wyvern's activities are closely aligned with global objectives
that support the interests of Belarus and Russia's governments.
The APT has targeted a variety of government organizations
and, in a rare instance, a private telecommunication
organization. Most of that espionage has been conducted against targets in Eastern Europe,
and both CERT-UA and Poland's Central Bureau for Fighting Cybercrime are tracking the activity,
which they characterize as criminal. Sentinel Labs adds,
The threat actor employs various tactics such as phishing websites,
credential phishing, and deployment of malicious documents that are tailored to the targeted
organization's specific needs. This results in the deployment of custom loaders and malicious
documents which enable unauthorized access to sensitive systems and information. Some of that phishing involves
impersonation of Poland's Central Bureau for Fighting Cybercrime itself. Microsoft reports
that while Russian cyber operators have underperformed during the hybrid war, there are
signs of a spike in both espionage and influence operations. Microsoft states, in 2023, Russia has stepped up its
espionage attacks, targeting organizations in at least 17 European nations, mostly government
agencies. Wiper attacks continue in Ukraine. Influence operations have shown an interesting
shift in attention toward Moldova. In a longer report on lessons learned over the
first year of Russia's war, Microsoft concludes with a warning that future Russian operations
are likely to fall into two categories. First, espionage purposes to understand military support
and political deliberations of different nations and their commitments to the Ukrainian resistance.
deliberations of different nations and their commitments to the Ukrainian resistance,
and second, potential hack and leak operations targeting key figures essential for support to Ukraine. So let those shields stay up. Wired has a profile of Colonel Evgeny Serebryakov,
the GRU officer who's running the Russian Military Intelligence Service's Sandworm unit.
Sandworm has been a problem with wipers, attacks on power distribution networks, and other capers,
but also a record of noisy stumbling around.
Wired writes,
After half a decade of the spy agency's botched operations,
blown cover stories, and international indictments, perhaps it's no surprise that pulling
the mask off the man leading that highly destructive hacking group today reveals a familiar face.
Colonel Serebryakov was actually arrested in the Netherlands during a clumsy 2018 attempt
to hack the Organization for the Prohibition of Chemical Weapons, the international organization then investigating the GRU's grisly attempt
to use Novichok nerve agent to assassinate a GRU defector in the UK.
The target and his daughter survived,
an uninvolved British bystander did not.
It's unclear why the Dutch authorities released Colonel Serebryakov.
He's still under U.S. indictment, although out of reach and working from some branch of the Aquarium,
the nickname given to GRU headquarters in Moscow by those who work there.
Russia is looking in the Black Sea for the wreckage of the U.S. drone
Russian fighters forced down in international airspace on Tuesday, the Telegraph reports.
While it was a kinetic knockdown, the Russian fighters dumped fuel on the MQ-9 Reaper
and then collided with the drone's propeller.
The incident has cyber implications.
Should Russia be able to recover the MQ-9's wreckage,
it would look for ways of extracting and exploiting data and data management systems
the drone carried. U.S. operators are said, according to the Washington Post, to have wiped
the MQ-9's systems before bringing it down some 56 nautical miles off the Crimean coast.
Getting to the wreckage will be difficult as the drone sank in water that's between 4,000 and 5,000 feet deep. General Milley,
chair of the U.S. Joint Chiefs of Staff, said, we'll work through recovery operations. It probably
broke up. There's probably not to recover, frankly. So, says the general, in effect, don't fear the Reaper.
the Reaper.
Coming up after the break, Johannes Ulrich from SANS talking about malware spread through Google Ads.
Our guest is David Antelese from Skybox Security with thoughts on federal government cybersecurity
directives.
Stay with us. like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. At the federal level here in the U.S., there have been several binding operational directives issued by CISA and others
mandating that federal agencies meet certain standards for asset visibility and vulnerability detection over the next few months. David Antilles
is Senior Technology Director at Skybox Security, and he makes the case that putting these sorts of
deadlines in place can have the unintended effect of putting the bad guys on notice.
When directives come out or these instructions come out from the Fed or whatever government agency,
we usually find ourselves at an inflection point of where do we need to pivot from?
And oftentimes there's some confusion as to what is required, what is needed.
For instance, CISA has offered guidance on vendors providing security up front
and being more responsible for their products that they offer.
Oftentimes, that takes the onus off of the individual that is consuming the product
or those that are purchasing product
and don't necessarily understand that there is also a shared responsibility.
So when you look at the landscape as a whole,
often there's a lot of messaging,
a lot of white noise, and not necessarily a lot of exactly what do you need to do in order to
secure your borders, so to speak. And so one of the points that I think you and your colleagues
are making is that as we come up on the dates of some of these operational directives being enforced, that it sort of motivates the threat actors to come at some of these agencies.
Absolutely.
It's almost like, hey, we're ringing the dinner bell for the wrong reasons.
And we're trying to call everyone to the table to make sure everybody's secure.
make sure everybody's secure, but the biggest, the baddest are going to run towards the food and try to get as much as they can before everybody else gets there and there's nothing
left but scraps. That's the way I look at things in terms of we're basically announcing to the
world, we're trying to close up. We're trying to make sure that we are in a position of strength,
but before we get there, we're also announcing that we are in a position of strength. But before we get there, we're also announcing
that we are in a position of weakness. And therefore, it's almost like, hey, guys, come
get what you can. We got a couple of windows left open. Come jump through there, take what you want,
and then we'll batten down the hatches a little bit later. Right. We're going to put a fence up
around this farm full of delicious food. Here's the data that's going up.
That's an interesting perspective.
So what do you suppose is to be done here?
Given that reality, how should organizations be responding?
I think that there should be some level of collaboration,
a measure of collaboration between the governments
and the private sector.
Again, there's this disparity about what the requirements should be
and what they should be doing to attain a measure of security posture
or improving their security posture.
And when you leave it up to compliance
or you leave it up to some sort of governance,
we're just addressing the nascent elements of the compliance. We're not going after
it all. We're not taking a baseline approach to try to understand, well, what should we be focused
on in order to make sure we secure our environments, our infrastructure, our product sets,
our supply chain, all of that. We're basing everything on what was given to us as a mandate,
but we're not entirely sure that we've addressed all of those different pieces
that are going to help us secure what needs to be secured.
And because of that, we leave a lot of holes open.
There are a lot of holes that get exposed.
For example, education plays a really big part in terms of cybersecurity.
When we talk about phishing, as for example, it's very simple, very easy, very common these days.
The city of Chicago, in particular the Department of Aviation back in 2019,
the Department of Aviation back in 2019 experienced a very big boo-boo, if you will,
potential breach when they were provided, somebody was provided an email from one of their so-called vendors to basically, let's change the account. Let's pay out a million dollars plus
to this individual. And the individual just bought hook, line, and sinker. Well, we've had mandates out there forever
dictating what phishing and spear phishing should look like.
And this person, this individual with this type of control and power
just bought into that email really quickly and shifted all
this money. Luckily, the bad guys didn't get the money. But it did
expose a measure of, I won't say ignorance,
but just the, I guess,
lack of thought
in asking somebody, hey, should I be doing this?
Should I be, you know, what's the process here? Who should I be talking
to, you know, in order to approve this kind of large transaction?
And should I be opening up these emails to begin with?
That's been mandated a long time ago.
But again, because we have such vague wording out there
and it's not pushed down and, you know,
there's this causality that unless it happens to you,
nobody does anything.
There isn't that measure of you need to get with the times.
So again, kind of flowing down all the way down to the user level.
The user level is looking at management to say, this is what security looks like.
Management is looking to the business to say, what do we need to secure?
And the business is looking to regulatory and governance and compliance to say, what should we be doing in order to secure?
And when those things are out of lockstep, you end up with situations like that.
Well, in your estimation, who is best equipped to oversee that sort of enforcement?
That's a good question.
Because obviously, at the federal level, it's an overarching component.
And that needs to filter on down to the state level.
And the states where these businesses, transactor or conductor business, are beholden and paying their taxes to.
So there has to be a shared
responsibility, I guess, from that aspect. I think there needs to be some measure of responsibility,
both at the board level as well as the government level. And there has to be some coming together
as to, we agree that if we do X or we don't do X in order to secure our data,
and it's found that we egregiously messed up, that we're going to get dinged.
And it can be at the federal level, it could be at the local level.
But I think because the mandates are coming down from the federal level at this point,
it has to be coming from that overarching umbrella.
I don't know how much they can impose their will, though.
Yeah.
So not just shared responsibility,
but shared liability as well.
Yeah, there has to be.
And you're starting to see that kind of like
where the boardroom is starting to grumble
about these incidences,
and they're starting to dictate pace with the CEO.
The CEO is now going to start eating some of that.
It's going to start carving into his bonuses and his salary as it should be.
If somebody gets fired at the lowest level for misconfiguring a router or switch or a firewall or what have you,
for misconfiguring a router or switch or a firewall or what have you,
so too should a CEO for the direction that he's taking the company,
especially for those that are directly reporting to him and have direct responsibility for maintaining security
and posture of the organization.
That's where we see mostly when money is involved
and affects someone's pocketbook,
I truly believe that that's where we're going to start seeing measurable success.
Because they're not going to want to see something take a chunk out of their stipend just because somebody materially forgot to make a configuration change or there was a whole process that got missed.
That's David Antilles from Skybox Security.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, it's always great to welcome you back.
We have been seeing some reports here about some malware coming through with Google Ads.
I know this is something you and your colleagues are tracking. What do we need to know about this?
Yeah, so this is something that I think has really become more and more of a problem these last few months.
And we have observed a number of cases, also documented them in our posts. The problem here is that malware actors are paying for Google Ads to impersonate well-known software.
We have seen OBS, like the studio software.
We have seen Audacity.
We have seen some of those commercial software too,
like Word and such.
When you're just searching for,
hey, I want to download this particular software,
the number one search result is leading you
to malicious software because it is a paid ad.
And Google apparently has a hard time dealing with that. And it's very difficult for a user, even for a somewhat experienced user,
to distinguish these malicious ads from valid links.
Because often they're using a lookalike URL,
so they're using a slight variations of the domain name.
And in particular with open source software, one defense for them would be, hey, let's
just buy another ad, pay more for ads.
But free software, of course, doesn't really want to pay a lot for ads just to get Malware
out of the way.
And then, of course, you're being led to a lookalike website and you're downloading
malicious software. Typically, what you're getting is something that looks like the real software
with additional add-ons. There is part of the installer, they install the legitimate software,
but they're also installing some kind of InfoSteel or a bot or whatever.
So what's to be done here? I mean, I think most people, certainly consumers, they have a lot of trust in Google.
Well, don't trust Google.
That's, I think, the first thing here.
And probably one of the simplest things that you can do is get an ad blocker.
Now, when you're talking about the web and such and podcasts, usually as of the social contract, hey, you're not going to pay for
it, but you're going to listen to our ads, you're going to view our ads. But that also, I think,
assumes that these ads are somewhat curated and are not outright malicious like what we are having
here with Google. So I think in so far, definitely running an ad blocker
is probably a first line of defense
against this particular attack.
Other than that,
just be extremely careful as to what you download,
which is a good idea anyway.
But like I said, in this case,
it's sometimes hard to tell if it's malicious or not.
One little trick that you can use is VirusTotal.
VirusTotal is pretty good at finding
these or flagging these malicious
binaries that you may be downloading.
Interestingly, VirusTotal is
owned by Google, so
at least have Google help you out here
defending yourself against Google.
Against Google.
It would be nice if Google
would just do it themselves
before they accept ads and such.
But I guess it's just a matter of
there's no self-serve ad economy they set up
where they just let everybody place ads.
And sometimes these ads are then also
placed through third parties that are reselling ads.
So it's a fairly complex kind of ecosystem
and that doesn't help here.
Yeah, I mean, I find myself saying often
that you'll hear the tech companies say,
oh, well, we can't monitor this at scale.
We can't do this at scale.
And my response is, if you can't do that at scale,
then maybe you shouldn't do that at all.
Yeah, for Google, it's just their business concept
to take your data and then resell it to better place ads.
So it sort of goes at the core of their business,
which I think makes that more difficult to them.
Yeah, it's remarkable, though,
that somebody can make it to the front page of Google.
The top search results was something that is a scam.
And ultimately, you'd think that would be
against Google's best interest.
Yeah, and we have seen Google fight back
somewhat against search engine optimization
where people didn't pay.
They just placed links on various websites.
Many, many years back, I think it was a decade back,
we had a case where there was an earthquake in Chile.
And what we noticed is that within minutes of that earthquake, which is an unpredictable event, the top search results when you search for earthquake in Chile was malware or malicious links.
Wow. At that point, what we found was there was actually a bot that monitored the Google Trends, the top search queries,
and then automatically updated thousands of WordPress sites they had compromised in order to add spam links and amplify their links.
But they didn't pay Google, so Google actually does now a pretty good job against this kind of search engine optimization
or black hat search engine optimization, sometimes called.
That doesn't happen as much anymore.
But hey, they still take your money.
And that's the surefire way to be the number one result when you're doing a search.
Yeah, boy, the cat and mouse continues, huh?
Last year, there was one case for even Google Chrome.
When you search for Google Chrome, you got a malicious link
at the top.
That no longer happens, so they must have put some
block in there that nobody can advertise Google Chrome.
Buyer beware, right?
Yes, buyer beware.
Like I said, AdBlocker is probably your best bet
at this point.
Get something free from a reputable source
that doesn't replace Google Ads with other malicious ads.
Mm-hmm, mm-hmm.
All right, well, Johannes Ulrich, thanks so much for joining us.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.