CyberWire Daily - Cl0p moves their way into the systems of major European companies. Notes from a highly active cyber underworld. And hybrid war updates.
Episode Date: June 6, 2023The Cl0p gang claims responsibility for the MOVEit file transfer vulnerability. Verizon’s DBIR is out. Palo Alto Networks takes a snapshot of last year’s threat trends. A new criminal campaign tar...gets Android users wishing to install modified apps. A smishing campaign is expanding into the Middle East. Cisco observes compromised vendor and contractor accounts as an access point for network penetration. Cyclops ransomware acts as a dual threat. Anonymous Sudan demands $1 million to stop attacks on Microsoft platforms. Ben Yelin explains a groundbreaking decision on border searches. Our guest is Matt Caulfield of Oort with insights on identity security. And a deepfaked martial law announcement airs on Russian provincial radio stations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/108 Selected reading. Clop ransomware claims responsibility for MOVEit extortion attacks (BleepingComputer) CVE-2023-34362 Detail (National Institute of Standards and Technology) Microsoft links Clop ransomware gang to MOVEit data-theft attacks (BleepingComputer) BA, BBC and Boots hit by cyber security breach with contact and bank details exposed (Sky News) 2023 Data Breach Investigations Report (Verizon) 2023 Unit 42 Network Threat Trends Research Report (Unit 42) Tens of Thousands of Compromised Android Apps Found by Bitdefender Anomaly Detection Technology (Bitdefender) Chinese-speaking phishing ring behind latest fake fee scam targeting Middle East; another campaign exposed (Group-IB) Adversaries increasingly using vendor and contractor accounts to infiltrate networks (Cisco Talos) Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat (Uptycs) U.S. Measures in Response to the Crisis in Sudan (US Department of State) Microsoft's Outlook.com is down again on mobile, web (BleepingComputer) Kremlin: fake Putin address broadcast on Russian radio stations after 'hack' (Reuters) Deep fake video of Putin declaring martial law is broadcast in parts of Russia (Semafor) Peskov called "Putin's emergency appeal" shown on some TV networks as a hack (TASS) Proceedings of the 2023 U.S.-Ukraine Cyber Dialogue (US Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Klopp gang claims responsibility for the Move-It file transfer vulnerability.
Verizon's DBIR is out.
Palo Alto Networks takes a snapshot of last year's threat trends.
A new criminal campaign targets Android users wishing to install modified apps.
A smishing campaign is expanded into the Middle East.
Cisco observes compromised vendor and contractor accounts as an access point for network penetration.
Cyclops ransomware acts as a dual threat.
Anonymous Sudan demands a million bucks to stop attacks on Microsoft platforms.
Ben Yellen explains a groundbreaking decision on border searches.
Our guest is Matt Caulfield of Oort with insights on identity
security. And a deep-faked martial law announcement airs on Russian provincial radio stations.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, June 6th, 2023.
Yesterday, Klopp told Bleeping Computer that it was responsible for the employment of the MoveIt Transfer SQL injection vulnerability. The vulnerability, which was added to the U.S.
Cybersecurity and Infrastructure Security Agency's known exploited vulnerability catalog last Friday,
was first employed on May 27th, Bleeping Computer reports.
Mandiant had associated exploitation of this vulnerability with Klopp,
as the gang had been searching for partners that use SQL injection.
That attribution now seems to be confirmed.
Sky News said that Klopp had claimed responsibility for exploiting the vulnerability
against several
British and Irish companies, including the BBC, British Airways, Boots, and Aer Lingus,
with the intention of stealing customer information as well as national insurance
numbers. The companies at present don't believe their financial information was stolen.
Verizon has released its 2023 data breach investigations report, the DBIR,
finding that 74% of breaches involved a human element. This includes human error,
privilege misuse, use of stolen credentials, and social engineering. Business email compromise
attacks have also nearly doubled this year. The median cost of BEC attacks has risen to around $50,000.
Fortunately, collaboration between law enforcement and banks
aided over half of the reported BEC victims
in recovering a majority of their money back, almost 82%.
95% of breaches were financially motivated,
and ransomware attacks have remained steady, representing 24% of security incidents.
In another study of recent developments in threat circles, Palo Alto Network's Unit 42 has published a report looking at malware trends during 2022.
The researchers observed a 55% increase in vulnerability exploit attempts compared to 2021.
Many of these attempts involved the Log4J and Realtek supply chain vulnerabilities.
PDF attachments were used in 66% of attempts to deliver malware via email,
and the researchers also found that the average count of malware attacks between 2021 and 2022 jumped by 238%.
Researchers at Bitdefender have discovered what they describe as a hidden malware campaign
living undetected on mobile devices worldwide for more than six months.
The researchers explain that the campaign is designed to aggressively push adware,
a type of malware that forces unwanted ads into the victim's online experience.
The campaign is probably capable of switching tactics and transitioning to pushing Trojans
or other malware to the devices already infected.
Bitdefender has observed over 60,000 different samples that carry this adware,
and the campaign, they believe, started
in October of 2022. The applications that carry the malware are not available on any official
app stores. Instead, they often pretend to be game cracks, free VPNs, Netflix, YouTube, or TikTok
without ads, even going so far as to fake security software. The most popular downloads seem to be modified legitimate applications
that the scammers claim have been enhanced for better user experience.
The applications, once installed, aren't marked with an icon,
making them more difficult to uninstall
and potentially misleading the user into thinking there was a problem during the installation process.
You know what they say, good things aren't cheap and cheap things aren't good.
While nobody enjoys shelling out cash for games and premium services,
it may be safe to say that malware may be even less desirable.
Group IB warns that a Chinese-speaking fishing gang has expanded its targeting from the Asia-Pacific region to the Middle East.
The gang, which the researchers call Postal Furious, impersonated a toll operator and a postal service in the Middle East.
In the former case, the scammers messaged victims with a request for immediate payment to avoid additional fines.
In the other cases, they send bogus package delivery notifications by text message.
The gang's motivation seems to be financial, that is, straightforwardly criminal.
Cisco Talos today released a report detailing attackers targeting and abuse
of compromised accounts belonging to vendors and contractors.
While the researchers highlight that recent software supply chain attacks,
such as those affecting 3CX and MSI, have drawn attention,
other links of the supply chain are easier to exploit and are often overlooked.
Using and abusing VCAs allows for more access and privilege into systems
that may not be identified in a timely manner,
as trust in the third-party workforce provider may keep from a deep look into those accounts.
The Uptix threat intelligence team yesterday shared their discovery of a new threat actor
called Cyclops. The Cyclops ransomware-as-a-service offering is capable of infecting Windows, Linux, and macOS machines.
The malware, researchers say, also contains a binary specifically for lifting sensitive data.
Cyclops has been seen shilling its offering on forums
and requests a cut of the profits if the malware is used.
After the payload scans and identifies the processes that are running on the infected machine
and retrieves all of the drive information, a ransom note is dropped.
The note, a text file, redirects to an Onion site that promises to lead them on the road to recovery of their data if they pay up.
Cyclops ransomware is said to share attributes with other ransomware families.
The ransomware encryption logic in Cyclops is said to be similar to that of Babook,
and the encoding and storage of executable strings was observed in version 2 of Lockbit.
Anonymous Sudan began targeting U.S. organizations on Saturday
in a new distributed denial-of-service campaign
after the hacktivist took
offense at comments made by U.S. Secretary of State Anthony Blinken regarding a possible
U.S. involvement in Sudan.
The attacks, which originally targeted hospitals and the ride-sharing company Lyft, have now
been refocused on Microsoft Outlook and Microsoft-owned OpenAI's ChatGPT chatbot.
The group announced yesterday that they had disabled Microsoft Outlook in DDoS attacks,
which reportedly frustrated thousands of customers, CNN reported.
Bleeping Computer reported a global outage which prevented Outlook users from sending
emails or managing calendars.
After the attacks, Anonymous Sudan continued
lobbing insults at Microsoft
and even launched surprise attacks
as they took offense to Microsoft
tweeting that they had solved
the issue impacting service.
The group even went so far as to
advertise their IT services to
Microsoft for a million dollars.
Today, the group
announced that it would go after ChatGPT,
posting that they had already run a test attack and would launch a real attack later in the day.
They explained, in a humble brag sort of way, that they had done all of this with internet
speeds reaching less than one megabit per second. Internet issues seemed to have plagued the
hacktivist group, as earlier this
year, they complained of widespread internet outages and appealed for Starlink to be opened
in Sudan. In an attempt to gather attention, they claimed that they had shut down Twitter
with a DDoS attack. The group has since announced a new attack on Microsoft products, starting today at 11 a.m. Eastern Time this morning.
And finally, a bogus radio address misrepresenting itself as coming directly from President Putin
aired Monday over some Russian radio stations near the border with Ukraine.
In the broadcast, the faux Putin said that Ukrainian forces had crossed the Russian border
in large numbers,
that Russia had declared both martial law and a general mobilization,
and that citizens in border regions should evacuate deeper into Russia.
Official Russian media were quick to debunk the story,
attributing the broadcast to hacking, and saying that in response to the incident,
law enforcement and other local authorities had taken control of the local radio stations.
Coming up after the break, Ben Yellen explains a groundbreaking decision on border searches.
Our guest is Matt Caulfield of Oort with insights on identity
security. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with BlackCloak.
Learn more at blackcloak.io.
Identity threat detection and response firm, ORT, recently released the 2023 edition of their
State of Identity Security Report. Matt Caulfield is founder and CEO of ORT.
We're at the very beginning of what's going to be a long journey. I usually use the analogy
of think of where network security was maybe 30 years ago or where endpoint security was
maybe 20 years ago. That's where identity security is today. We don't have endpoint detection response
or even the antivirus equivalent of identity security.
So we're just getting started.
People are just waking up to the fact
that although we've invested a lot
in identity infrastructure,
single sign-on, directories, governance tools,
password vaults,
we're just now getting started on tools that give
us visibility across the IAM infrastructure that an enterprise might have in order to secure and
understand that infrastructure and protect that identity attack surface. Well, let's dig into some
of the findings from the report here. What are some of the things that caught your eye?
Yeah, so we worked on this pretty diligently with our team. We have an in-house data science team that put this together. And there's some high-level takeaways that may not be all that surprising,
but really reaffirm the magnitude of the problem that I think we all understand intuitively.
So we found that across 500,000 identities that we analyzed, over 40% of them had
no form of strong MFA. And what that means is that they either had no MFA, multi-factor authentication
at all, or they're using a weak form of MFA, such as SMS, which is very easy to phish.
So that's one big takeaway. Another is that, unsurprisingly, administrator accounts are much more likely to be attacked and taken over.
And then I think the third big takeaway that we found is that 25% of accounts in the average enterprise are just simply not being used at all.
They haven't been logged into for 30, 60, or even 90 days.
Well, let's go through some of the proposed solutions here.
What do you all recommend?
Sure. There's a lot that enterprise companies, large and small, can be doing to get ahead of
this. And not all of them need to break the bank. There's plenty of low-hanging fruit that companies
can take care of, starting with cleaning up, looking for some of these 25% inactive accounts, cleaning up accounts that
haven't been used. I often use the analogy that a dormant account or an orphaned account is kind of
like a server sitting in a closet somewhere that hasn't been patched in the past five years.
Accounts are no different. Attackers are just waiting to take over those unused assets and then
take over them. So cleaning up and identity
hygiene has to be priority number one. And I think number two would be getting more visibility around
the behavior of identities and doing more around what's called identity threat detection these days,
looking for specific tactics, looking for indicators of compromise, and even looking for
anomalies based on user behavior.
You know, your comparison to servers reminds me of that old story about how, you know,
if somebody doesn't know what a particular server is doing, just pull the plug and the person who's using it will come find you. Yes. I wonder if that applies to accounts as well.
That 100% applies to accounts as well. In fact, we do this all the
time. We suspend accounts on behalf of our customers for unused ones, and they're very,
very cautious not to turn off the CFO's account or the CEO's account because that's what we would
call a career-limiting move. But yes, for your everyday users, it's actually quite a good way,
especially for contractor accounts where you don't know if the contract is done or not.
Turning them off, you'll know pretty quickly if it still needs to be used.
Can we dig into some of the specifics about MFA here?
Because I think a lot of folks probably think the fact that I'm using MFA at all puts me head and shoulders above the folks who aren't.
To what degree is that the reality?
So that's true.
We've come a long way in the industry with MFA adoption.
And so when you're trying to outrun the bear, you don't need to be faster than the bear.
You just need to be faster than the guy who's still putting his shoes on.
The same thing is true for MFA. So now that everybody's got MFA, everyone's
got their shoes on, now it's a question of, well, who has the stronger form of MFA? And what we're
finding is that not all factors, multi-factors, are created equal. Some of them are much easier
to phish, or man in the middle, than others. So for example, SMS is exceptionally easy to phish or man in the middle than others. So for example, SMS is exceptionally easy to
phish because it's just a code that you copy from one screen to another. And so you can imagine,
like, well, it's fairly easy for an attacker to pretend to be somebody from IT or support and say,
hey, I'm from support at your company. You'll have just received a six-digit code. We're
troubleshooting your account. Can you please send that over to me so I can continue what I'm doing? And oftentimes that
will work. And so we're seeing many companies try to move to stronger forms of MFA. So for example,
FIDO2-compliant, phishing-resistant, YubiKeys, for example, are one of the strongest forms or
biometrics that are tied to a device or another
way that people are ramping up the strength of their multi-factor. And we're seeing a lot of
companies adopt passwordless. Often that's tied to factors that are difficult to fish. And because
you don't have passwords, you're less likely to input the wrong password into the wrong screen.
Where do you suppose we're headed with this? Is it clear to you what the future may hold?
I have my version of the future, which I think is that we'll never be perfect. In the same way that
endpoints will always have vulnerabilities, in the same way that networks will always have vulnerabilities in the same way that networks will always have back doors. There will always be a way to bypass MFA and single sign-on screens. What we need is vigilance
and additional systems to provide visibility over these critical pieces of infrastructure.
And so if you imagine that, hey, we can't necessarily trust Apple or Microsoft to
completely lock down their
devices. So that's why we invest in EDR tools like CrowdStrike, because although Microsoft and Apple
have been doing a much better job than in the past, we still want that extra layer of insurance.
And I think identity is the same way. We'll continue to evolve the identity infrastructure
and invest in stronger forms. Multifactor and Okta and Microsoft and Duo and Google Workspace
will continue to evolve the security of their identity controls,
but there will always be the need for security teams
to have an additional layer of visibility
to make sure that that IAM infrastructure is behaving as expected
and any new identity vulnerabilities are taken
care of right away. That's Matt Caulfield from ORT. The report is the 2023 State of Identity
Security Report. And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hey there, Ben.
Hello, Dave.
So, interesting development here.
I'm referencing an article over from the EFF,
the Electronic Frontier Foundation.
This is written by Sophia Cope,
and it's titled, Federal Judge Makes
History in Holding That
Border Searches of Cell Phones
Require a Warrant. This
seems to me like a big deal
here, Ben. Am I correct?
To paraphrase our president from when he was
vice president, this is certainly a BFD. So the case she is referencing in this piece is United States v.
Smith. Okay. For a little bit of background, there has long been a border search exception
to the warrant requirement in the Fourth Amendment to the Constitution. So the Fourth Amendment
prohibits unreasonable searches and seizures. Searches have to be supported by a probable cause, a finding that has to be confirmed by a neutral magistrate.
That's the essence of our Fourth Amendment.
Right.
But the Supreme Court has identified circumstances in which a search can be reasonable for Fourth Amendment purposes, even in the absence of a warrant.
And one of those exceptions has been for physical searches at the border.
There's a public policy justification for that, which is that we have a broader public policy
interest beyond just apprehending criminals to prevent contraband from coming in from overseas.
So this is a well-accepted exception. This has been considered under what's called the special
needs doctrine at the Supreme Court. This gets much considered under what's called the special needs doctrine
at the Supreme Court. Right. This gets much more tricky when we're talking about the application
to digital data. So there were a couple of other federal appellate courts who started to limit this
generalized border exception under the Fourth Amendment. So for example, the Ninth Circuit
in a case called United States v. Canoe held that a warrant is required for a device search of the border
that seeks data other than, quote, digital contraband, something like child pornography.
There's a Fourth Circuit case, I believe we talked about it at the time, United States v.
Agdecon, if I'm pronouncing that correctly, which held that a warrant is required for a
forensic device search at the border in support of a domestic criminal investigation. What this judge does here is go
even further than previous appellate courts and holds that all searches of cell phones at the
border require a warrant. And she does that by referencing the 2014 Supreme Court decision in
Riley v. California. That decision held that even in a search incident to arrest,
the government needs to obtain a warrant
before it searches an individual's cell phone.
And the impetus behind that opinion
was that the cell phone holds a wealth of information.
It's beyond a simple device.
It has all of our private stuff in it,
all of our contacts, all of our emails.
So it's just this mosaic of our lives that we've never encountered before.
And for that reason, even if it is a search incident to arrest, then the government needs a warrant under the Fourth Amendment.
And I think what this judge is doing is extending that logic to border searches.
logic to border searches. They are applying the same sort of balancing tests that the Supreme Court used in Riley, where they're measuring the government's need versus the potential invasion
of privacy. Certainly, the government does have a need, does have a public policy justification
for wanting information on people who are crossing our borders. I think everybody recognizes that
need. But when we balance that against the
idea that we're going to be warrantlessly searching people's cell phones, especially
U.S. person's cell phones, the balance just does not weigh in favor of the government.
And that's true, according to this federal judge, whether the search happens at the border or
anywhere else. So I think this is certainly a groundbreaking decision.
We'll see what happens as it makes its way up to the Second Circuit Court of Appeals,
where they may or may not consider this decision if the United States chooses to appeal,
which I suspect they will. Yeah. So does this put us on a more likely path to the Supreme Court? I'm not sure yet. I
mean, I think certainly the potential is there. I've been looking for a border search case at
the Supreme Court and was expecting that the next case we'd see there was going to be on something
narrower, like whether warrants is required for a full digital forensic search.
This is such a broad question.
I think perhaps the Supreme Court would like to see other circuits weigh in on this to make sure that there's a split among circuits before they have an interest in taking it up.
But it's certainly possible that we eventually see this in front of the Supreme Court,
especially if the Second Circuit, which I'll note has a pretty liberal majority,
especially if they uphold this decision from the district court and the Supreme Court realizes that this presents a really novel issue of law that they need to weigh in on.
Then I think that we could see this come in of people the wrong way, and I would put myself in that category, is the degree to which the border is the United States, and then, what is it, like 200 miles around the edge of that border is what U.S. Customs and Border Protection claims to be their jurisdiction,
and then measure the percentage of U.S. citizens who live out there day-to-day in that zone.
Right, right. That 200-mile zone of the border.
Right, because where did we build our cities?
On the border where the ports are.
And so it just, you know—
Not to mention it's people coming back from traveling overseas via airplane.
So the fact that we're just going to abandon all of our Fourth Amendment protections because somebody traveled internationally, I mean, that's certainly a question up for interpretation of the Fourth Amendment, I think. I think that's exactly what
the judge is saying here. Yeah. All right. Well, this is another one we're going to have to keep
an eye on, but this one certainly caught my attention here. This was a very interesting
development, right? It certainly is, yes. Yeah. All right. Well, Ben Yellen, thanks so much for
joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
Thank you. and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan. Our mixer is Trey H, with original music by Elliot Peltzman. The show
was written by Rachel Gelfand. Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.