CyberWire Daily - Contractor error behind FAA outage. OneNote malspam. Vastflux ad campaign disrupted. Ukraine moves closer to CCDCOE membership. Alerts for gamblers and gamers.
Episode Date: January 23, 2023The FAA attributes its January NOTAM outage. Malicious OneNote attachments are appearing in phishing campaigns. The Vastflux ad campaign has been disrupted. Ukraine moves toward closer cybersecurity c...ollaboration with NATO. Rick Howard considers the best of 2022. Deepen Desai from Zscaler looks at VPN Risk. And, finally, we’re betting you want alerts for sports book customers and online gamers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/14 Selected reading. FAA Says Contractor Unintentionally Caused Outage That Disrupted Flights (Wall Street Journal) Not a cyberattack, but an IT failure: the FAA's NOTAM outage. (CyberWire) Hackers now use Microsoft OneNote attachments to spread malware (BleepingComputer) Traffic signals: The VASTFLUX Takedown (HUMAN Security) Ukraine signs agreement to join NATO cyber defense center (The Record from Recorded Future News) FanDuels warns of data breach after customer info stolen in vendor hack (BleepingComputer) Industry looks at the MailChimp data incident. (CyberWire) PSA: Don’t play GTA Online on PC right now (Video Games) You might not want to play GTA Online right now due to security vulnerabilities (RockPaperShotgun) Riot Games hacked, delays game patches after security breach (BleepingComputer) Riot hit by ‘social engineering attack’ that will affect patch cadence for multiple titles (Dot Esports) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FAA attributes its January NOTAM outage.
Malicious OneNote attachments are appearing in phishing campaigns.
The VastFlux ad campaign has been disrupted.
Ukraine moves toward closer cybersecurity collaboration with NATO.
Rick Howard considers the best of 2022.
Deepen Desai from Zscaler looks at VPN risk.
And finally, we're betting you want alerts for sportsbook customers and online gamers.
From the CyberWire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Monday, January 23rd, 2023.
The Wall Street Journal reported late last week that the FAA has traced the cause of this month's NOTAM outage
to an error committed by IT contractors during synchronization of backup files.
The Journal wrote,
The Federal Aviation Administration said Thursday that a contractor working for the Air Safety Regulator
had unintentionally deleted computer files used in a pilot alert system,
leading to an outage that disrupted U.S. air traffic last week.
The agency, which declined to identify the contractor,
said its personnel were working to correctly synchronize two databases,
a main one and a backup, used for the alert system when the files were unintentionally deleted.
Bleeping Computer reports that criminals are using OneNote files
attached to malicious spam emails to install remote-access Trojans,
the Quasar rat among them.
OneNote doesn't use macros, and so malicious files have, in many cases,
escaped detection by the usual technical screening tools. The attachments
do generate a familiar general warning stating, opening attachments could harm your computer and
data. Don't open it unless you trust the person who created the file. But experience shows that
many users regard the warning as pro forma background noise and click through anyway,
regard the warning as pro forma background noise and click through anyway, thereby installing the rat. The VastFlux ad fraud operation has been disrupted by researchers at the security firm
Human. Most of the affected apps were developed for iOS. The researchers write, at its peak,
VastFlux accounted for more than 12 billion bid requests a day.
More than 1,700 apps and 120 publishers were spoofed,
and the scheme ran inside apps on nearly 11 million devices.
It made money through click fraud,
stacking large numbers of invisible ads beneath visible advertising banners.
Up to 25 video ads would run behind the user's active
window. Human Security's description of the campaign portrays a criminal enterprise that
operated with a degree of sophistication. The name Human gave the operation, Vast Flux, for example,
alludes to the fast-flux technique the criminals employed to evade defenses by rapidly moving across a large
number of IP addresses and DNS records associated with a single domain. It also showed considerable
familiarity with the online advertising sector. Human writes, the fraudsters behind the vast-flux
operation have an intimate understanding of the digital advertising ecosystem.
They evaded ad verification tags, making it harder for this scheme to be found.
So, Vast Flux is down, for now anyway, and bravo to Human and its partners for the takedown.
But as the researchers note, the perpetrators remain unidentified and they can be expected to attempt a comeback.
So continued vigilance is in order, but cooperative defense of this kind has one signal virtue.
It makes the hoods work harder to pull off a successful grift.
Turning briefly to the cyber phases of Russia's war against Ukraine,
last week Ukraine signed an agreement to join NATO's
Cooperative Cyber Defense Center of Excellence. The CCD-COE is based in Tallinn, Estonia.
Ukraine's accession to the center will become official once the center's current members sign
the agreement, but that agreement is widely expected to come swiftly. Closer cooperation is seen as benefiting both Ukraine and NATO.
Natalia Kachuk, who directs information security and cyber security at Ukraine's National Security
and Defense Council, told the Record, Ukraine's experience is unique, and we are ready to share
it with our allies, from the public-private partnership and effective involvement of
cyber volunteers to methods of detecting and neutralizing cyber attacks from Russia.
Russian cyber attacks against Ukraine have fallen well short of expectations during Russia's war,
but according to The Hill, that's not for lack of trying.
Ukrainian officials put the number of cyber attacks against their country during 2022 at more than 2,000, with most of them originating
in Russia. Yuri Shigal, head of the State Service for Special Communications and Information
Protection, said in a media availability covered by Reuters, essentially all hackers who work with
Russia, most of them don't even hide their affiliation. They are all funded by the FSB, Russia's Federal
Security Service, are on military service, or are in the employ of those agencies.
Breaking Defense says U.S. officials warned late last week that while there are reasons for
optimism, it's important for organizations to keep their guard up and to recognize that Ukraine has for several years
worked to perfect its defenses in ways that not many other countries have.
So, hey everybody, do you bet on sports? Neither do we. But if you did, you might want to check
your six, as they say over in the Air Force. One of the after effects from the MailChimp breach
disclosed on January 13th has been the possible compromise of personal information over at the FanDuel sportsbook site.
Leaping Computer reports that FanDuel has found that audience data for 133 customers has been exposed, and that those customers should be on the alert for account takeover attempts and phishing.
and that those customers should be on the alert for account takeover attempts and phishing.
As has been reported in connection with the recent MailChimp breach,
the numbers of affected individuals didn't appear to be particularly large. The data isn't as sensitive as it might be,
apparently consisting only of customer names and email addresses,
but of course even slim information can be of use in social engineering attempts.
And finally, gamers, be ready for trouble the next time you squad up.
Gaming website Rock Paper Shotgun reports chatter that modders are abusing remote code
cheats to alter opponents' stats and disable accounts in Rockstar Games' Grand Theft Auto.
The gaming news outlet Video Games published a public
service announcement yesterday that warned, you may want to hold off playing GTA Online on PC
for now, as a new exploit gives hackers complete control over your account, and there's not much
you can do about it. The news about Rockstar, whose most famous title is Grand Theft Auto, comes from gamer chatter on Twitter and news accounts.
Video games describes the possible effects.
The exploit lets hackers alter your character, change and remove stats,
and even outright ban or delete your account.
That's not the only case being reported.
In an unrelated incident, Riot Games tweeted late Friday,
Earlier this week, systems in our development environment were compromised via a social engineering attack.
We don't have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.
Dot Esports says that the attack preceded the start of various leagues
in the League of Legends esports circuit. You know what? It occurs to us that FanDuel can let
you place bets on esports. Not that you necessarily would, of course, but, you know, it's possible,
or so we hear. Not that we would, you know.
Coming up after the break, Rick Howard considers the best of 2022.
Deepen Desai from Zscaler looks at VPN risk. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this,
more than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Cloak. Learn more at blackcloak.io. And it is always my pleasure to welcome back to the program Rick Howard. He is the CyberWire's Chief Security Officer and also our Chief Analyst, but more
important than any of that, he is the host of the CSO Perspectives show.
Exactly right, Dave.
If you're showing up here, that must mean that CSO Perspectives over on the pro side
of the CyberWire is cranking up for a new season.
So what do you got in store for us here today, Rick?
That's right, my friend.
Okay, it's CSO Perspectives.
It's starting its 12th season, if you can believe that.
I can't. First of all, Cyber Wire has only been seven years. So you're like multiple seasons per year, right?
It's kind of like dog years, you know, just...
Fair enough. Fair enough.
And so we have the interns, you know, locked up in the bowels of the Cyber Wire Sanctum Sanctorum, and they've been working on some fantastic stories.
But for this week, we are looking back in 2022 and highlighting some of the best podcasts and books that help me understand the cybersecurity landscape with a little more clarity.
So I call this being a student of the cybersecurity game.
So I call this being a student of the cybersecurity game.
Well, I know you are a big book guy with all of your volunteer work over on the Cybersecurity Canon Project.
What was your favorite cybersecurity book of 2022?
Well, I knew you were going to ask that, so I'm going to cheat a little bit.
I'm going to pick two, Dave, right?
The best cybercrime book that I've read in the past decade is Andy Greenberg's
latest called Tracers in the Dark. Right, right. You interviewed Andy about that book right before
the holiday break. Actually, I listened to that just recently. Quite a story there.
It's an amazing story, right? And it's about a group of researchers first, then entrepreneurs,
and then law enforcement officials
and how they figured out how to trace accounts
on the Bitcoin blockchain
that resulted in a series of high-profile arrests
in the cyber underworld.
And the bottom line here, Dave,
is if you thought your Bitcoin history was anonymous,
think again because it is decidedly not.
They figured out to determine all that stuff, right?
So watch out, all you
people in the cyber underground. The second book I really want to highlight here is George Finney's
Project Zero. That makes sense because I know that zero trust is one of your key strategies
you've been talking about for a while on the podcast. Yeah, and George is one of the smartest
cybersecurity practitioners on the planet. And as and George is one of the smartest cybersecurity practitioners
on the planet. And as you would expect from George, his practical descriptions of the key
elements of the zero trust philosophy are just perfect. So in this episode of CSO Perspectives,
we talk about those two books and a bunch of other books and podcasts that I found valuable last year.
All right. Well, that is on the CSO Perspectives Pro
on the subscription side of our network.
What's going on over on the public side?
Yeah, every season we roll out old episodes
in the CSO Perspectives archives
and to allow our listeners a chance
to see what they're missing
by not being a pro subscriber.
And so this week, you know,
because we got to get the cash coming in.
Sure, sure.
There's suits down the hall, you know.
Yeah, the suits.
We got to make them happy.
It makes it all happen.
Yeah.
Exactly right.
And so this week's show is Rick the Toolman episode from May of 2022.
It's everything you ever wanted to know about the relatively new idea called Software Bill of Materials or SBOMs.
Ah, yes, very good.
Well, that is over on the CSO Perspectives public feed.
Before I let you go, what is the phrase of the week over on the Word Notes podcast?
Yeah, this week's word is CERT with an I for Cyber Incident Response Teams,
and we try to clear up the industry confusion
on what exactly is the difference between a cert with an I, a cert with an E for a computer emergency response team, and a SOC for a security operations center.
And we even have a cool clip from an old TV show, Dave, and I know you appreciate.
Do you remember 24 with Jack Bauer and all that?
Well, actually, yeah, it's a fantastic show.
And they have a cert with an I in action.
So you need to come listen to that.
All right.
Well, you can check it all out.
It's on our website, thecyberwire.com.
That's CSO Perspectives.
Rick Howard, thanks for joining us. And joining me once again is Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, it's always great to welcome you back to the show.
I want to touch today on the report that you and your colleagues recently released.
This is your 2022 VPN risk report.
What can you share with us today?
Thank you, Dave.
Thank you for having me here.
And what a perfect topic to kick off the discussion.
So the VPN report that we published involved Threat Labs team looking at some of the attacks
over the past couple of years where VPN was being targeted as one of the entry points.
And as part of this research, we spoke to hundreds of cybersecurity professionals to get their insight as well when it comes to the state of VPN and the rise in VPN vulnerabilities and the threat landscape that's targeting that.
So some of the key findings, 78% of the organizations that we spoke with
are concerned about ransomware attacks, which is not surprising
because many of the ransomware attacks, as we have seen in several high-profile breaches,
starts with targeting that VPN concentrator or leveraging
a compromised credential to get inside the network. And because of the way VPN is architected,
it brings the user on the same network as your business-critical applications, which allow
threat actor to perform lateral movement and achieve the targets. 65% of companies were already considering VPN alternatives.
About 44% of the organizations reported increase in exploits targeting their VPN infrastructure
since adopting the remote work.
This again aligns with what we're hearing from US CERT and various regional agencies that
are dozens of threat actor groups that are specifically going after
VPN concentrators to
get a foothold inside the environment.
I'm curious when it comes to the providers of VPNs themselves.
I think particularly on the consumer side,
it's fair to say there's a wide spectrum in the quality of the providers there.
On the B2B side, are things better?
Is it easier for folks to shop around and find a high-quality VPN provider?
Yeah, so I do see two types of VPN being mixed up by most folks.
So the consumer side, I mean, the regular user, when they think of VPN, they're looking to anonymize.
For privacy reasons, they would rely on some of these VPN providers when they're visiting internet-bound destinations.
VPN providers when they're visiting internet-bound destinations.
So those are anonymizer VPN kind of services that provide privacy to the end user.
So there's no tracking, there's no source profiling being done.
The VPN that we're talking about as part of this report are the one that provides remote access
to your corporate environment, to your business applications.
That's the VPN we're focusing on for this report.
And it's not about good quality VPNs
or one vendor is better than the other.
It's inherently the underlying architecture.
It's several decades old.
And the concept of bringing a user on the same network as other users, as well as your applications.
Even if you have ACLs and other criterias defined, what we're starting to see is threat actors will weaponize the payload with zero-day exploits. And then once they are on the network, they will exploit those vulnerabilities and gain escalated privileges and move laterally.
So it's the architecture that is being exploited.
And that's where most of these organizations are looking to move towards zero trust.
looking to move towards zero trust.
So one of the stats of the report calls out 80% of the organizations are already in the process of adopting zero trust,
which is a perfect alternative to VPNs.
So what are your recommendations then?
I mean, based on the information that you all gathered in this report,
what would you say to folks out there who are either using VPNs or considering it,
or I suppose, as your report points out,
some folks are looking for alternatives.
Yeah, so one of the easiest way to think about
how are you improving your security posture,
how are you providing secure remote access
to your business-critical application is,
what if one of those endpoints that's trying to connect to your internal systems,
it could be your employee endpoint, is compromised, is infected,
or one of your user identity were to get compromised?
You need to ask yourself a question.
What is the blast radius from that machine that is coming in through VPN or any technology for that matter?
And that basically will clearly outline the comes to usage of zero trust.
Every other vendor is saying they're a zero trust solution.
So in order to think holistically, like ask yourself this question, whatever technology you're adopting,
is it providing you true user to app and app toapp segmentation that will reduce the blast radius from a single
compromised asset? And if the answer is yes, then you're doing it right. If the answer is like, oh,
it will require me to set up these networking rules, firewall rules, that's an old way of doing
it. All right. Well, interesting information for sure.
Deepen Desai. Thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was written by
John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.