CyberWire Daily - Coping with Silicon Valley Bank's collapse. BatLoader's abuse of Google Search Ads. More on Emotet’s re-emergence. Medusa rising. NetWire collared. More-or-less quiet on the cyber front.
Episode Date: March 13, 2023Coping with Silicon Valley Bank's collapse. BatLoader's abusing Google Search Ads. More on Emotet’s re-emergence. Reflections on Medusa rising. An international law enforcement action against NetWir...e. Rob Shapland from Falanx Cyber on ethical hacking and red teaming. Bryan Ware from LookingGlass looks at exploited vulnerabilities in the US financial sector. And in Ukraine, it’s more-or-less quiet on the cyber front (but in Estonia and Georgia, not so much). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/48 Selected reading. One of Silicon Valley's top banks fails; assets are seized (AP NEWS) US, UK try to stem fallout from Silicon Valley Bank collapse (AP NEWS) In abrupt reversal, regulators to cover Silicon Valley Bank, Signature uninsured deposits (American Banker) Silicon Valley Bank collapse will not trigger new financial crisis, insists Sunak (The Telegraph) ‘Banking system is safe’: Joe Biden reassures markets in address on Silicon Valley Bank collapse – live updates (the Guardian) BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif (eSentire) BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (The Hacker News) Emotet Again! The First Malspam Wave of 2023 (Deep Instinct) Emotet attempts to sell access after infiltrating high-value networks (SC Media) Medusa ransomware gang picks up steam as it targets companies worldwide (BleepingComputer) Alleged seller of NetWire RAT arrested in Croatia (Help Net Security) FBI and international cops catch a NetWire RAT (Register) How the FBI proved a remote admin tool was actually malware (TechCrunch) Estonia’s Election Was More Than Just a Win for Kallas (World Politics Review) Estonian official says parliamentary elections were targeted by cyberattacks (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Coping with Silicon Valley banks collapse,
batloaders abusing Google search ads,
more on Emotet's reemergence,
reflections on Medusa rising,
an international law enforcement action against NetWire,
and in Ukraine, it's more or less quiet on the cyber front,
but in Estonia and Georgia, not so much.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 13th, 2023. Hello, friends. It is good to be back. I want to give a special thanks to the fabulous Trey Hester for so capably filling in while I was on vacation with my family.
so capably filling in while I was on vacation with my family.
As you have likely heard, a run on Silicon Valley Bank last Friday drove the bank into insolvency. The failure hit the tech sector and the cybersecurity sector hard, especially its venture-backed startups.
Just before noon on Friday, the Federal Deposit Insurance Corporation, the FDIC,
closed SVB, placed it in receivership, and began working to find buyers for the failed bank.
Federal regulators worked over the weekend to control the damage.
It is, as the AP puts it, the largest failure of a U.S. financial institution since the height of the financial crisis almost 15 years ago.
The U.S. Department of the Treasury, the FDIC, and the Federal Reserve announced late Sunday
that the government had decided to take extraordinary measures to protect depositors,
stating, after receiving a recommendation from the boards of the FDIC and the Federal Reserve
and consulting with the president, Secretary Yellen approved actions
enabling the FDIC to complete its resolution of Silicon Valley Bank, Santa Clara, California,
in a manner that fully protects all depositors. Depositors will have access to all of their money
starting Monday, March 13th. A comparable arrangement has been reached for SVB's British unit, Silicon Valley Bank UK.
Reuters reports that HSBC UK Bank earlier this morning agreed to acquire SVB UK for the token
sum of one pound. As the business week opened, depositors this morning indeed found themselves
regaining access to funds that had been blocked since Friday, Bloomberg reports.
U.S. President Biden this morning held a news conference in which he addressed Silicon Valley banks' collapse
and sought to reassure the country that the American banking system remained sound.
He emphasized that depositors' funds would be safeguarded, stating,
Thanks to the quick action of my administration over the past few days,
Americans can have confidence that the banking system is safe.
Your deposits will be there when you need them.
The program protects deposits. It's not a bailout.
And the shareholders in the bank, its bondholders, and of course its officers, remain exposed.
Mr. Biden reiterated, Americans can rest
assured that our banking system is safe. Your deposits are safe. Let me also assure you we will
not stop at this. We'll do whatever is needed. That last sentence refers to action the president
intends to ask Congress to take in order to prevent a recurrence of the sort of bank run
that took down SVB. eSentire says the operators of the Batloader malware downloader are continuing
to abuse Google search ads to redirect users to malicious web pages. The malware is being
distributed via phishing sites that impersonate ChatGPT, Adobe, Spotify, Tableau, and Zoom.
Batloader is used to deliver an assortment of malware,
including the Redline Stealer, Ersniff, and the Vidar Stealer.
The researchers note that Microsoft, late last year,
linked Batloader to royal ransomware infections.
Emotet's reemergence last week had the goal of infiltrating corporate networks via malicious
emails in order to sell access to ransomware groups, SC Magazine reports.
Deep Instinct researcher Simon Kennan shared a post that Emotet has now been observed sending
malware in Microsoft Word files.
has now been observed sending malware in Microsoft Word files.
Paradoxically, researchers say,
the payload's large size, over 500 megabytes,
drastically decreases detection and subsequent neutralization of the malicious files.
Many security products and sandboxes
don't scan or isolate the files due to their size.
Kennan told SC Magazine,
when the operator of the botnet sees a high-value target infected, he can sell access to a ransomware group, which will have initial
access and try to hack the whole network. The return on investment is much higher for ransomware
than banking trojans these days. For other less valuable targets, a method of pay-per-install can be used, and the operator just loads other cybercriminals' malware in bulk.
Kennan says products that aren't solely reliant on static detection and analysis are more effective against attacks like Emotet's most recent campaigns.
Bleeping Computer reports that the Medusa ransomware gang has been stepping up its double extortion racket over the past several months.
Note that Medusa ransomware operation is unrelated to the Medusa Locker ransomware-as-a-service offering.
The threat actor has launched its Medusa blog to leak data from victims who refuse to pay up.
The blog gives victims an option to pay a lower sum
to advance the deadline by one day. The Medusa gang last week released a lengthy video showing
data allegedly stolen from the Minneapolis Public Schools District. The threat actor is demanding
$1 million in ransom from the school district. Authorities in Croatia Thursday arrested a person of interest
whom they believe to be the administrator of worldwiredlabs.com, a domain used to distribute
the NetWire remote access Trojan, HelpNet Security reported Friday. Swiss law enforcement also
reportedly seized the computer behind the Trojan's infrastructure.
NetWire was simultaneously advertised on hacking forums as well as legitimate markets,
where it was offered as a legitimate remote administration tool.
Used as a remote-access Trojan, NetWire allowed cybercriminals to remotely access and control devices as well as lift sensitive data from victims.
In an archived version of the site found by TechCrunch reporters,
NetWire is described as specifically designed to help businesses complete a variety of tasks
connected with maintaining computer infrastructure.
It is a single command center where you can keep a list of all your remote computers,
monitor their statuses and inventory,
and connect to any of them for maintenance purposes.
The U.S. Attorney's Office in the Central District of California said in the press release
announcing the site's seizure that the FBI's investigation into the site began in 2020.
TechCrunch reports that in the FBI's investigations, the Bureau found that the
site never required the FBI to confirm that it owned, operated, or had any property right to
the test victim machine that the FBI attacked during its testing, as would be appropriate if
the attacks were for a legitimate or authorized purpose. Krebs on Security has an account of what the domains used by NetWire
suggest about its operators. And finally, to return to the central theater of Russia's hybrid
war against Ukraine, a war that Russian officials claim is a defensive action against aggression
from the West, especially the Anglo-Saxon precincts of the West,
Estonia has successfully conducted its elections,
where a majority of the voting is done online,
despite extensive DDoS attacks by Russian threat actors on election infrastructure and other government services,
the record reports.
The attempts didn't succeed in disrupting voting,
but Estonia's prime minister said there are clear signs the Russians are trying to adapt.
The record quotes her as saying,
We see now the Russian attacks, actually they are not attributed officially,
so maybe I can't say this so openly,
but the attacks on our systems, we see that they are learning.
They see that, okay, these things are not going through,
so they are improving and constantly trying new, okay, these things are not going through, so they are improving
and constantly trying new ways to really undermine our system. Elsewhere in the near abroad, and
especially in Russia's war against Ukraine, there's little new on the cyber front, but,
as CISA would put it, shields up. It's far too soon for complacency.
After the break, Rob Shaplin from Phalanx Cyber on ethical hacking and red teaming.
Brian Ware from Looking Glass looks at exploited vulnerabilities in the U.S. financial sector. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
attack surface management company looking glass recently released financial services sector is one of the most secure
sectors.
It's an inherently digital sector.
That's where the money is.
And so, yes, it does attract adversaries, but it also attracts generally high levels
of spending and generally good cybersecurity talent.
And so I think one of
the things that was, I wouldn't call it surprising, but it's just notable that despite all of that
investment, there are still significant vulnerabilities that are present. So I think
that's one thing. I think the other thing also not particularly surprised, but still notable
is that among the concerning vulnerabilities, some of them are quite old.
You know, they've been, these vulnerabilities and remediations for them have existed for
a long time.
And, you know, they're still there.
And so, you know, if you combine that with that, this is a pretty well-financed infrastructure
sector that has some pretty old vulnerabilities still.
I think those two things
in combination are definitely notable. And do you have any insights as to why there might be
that little disconnect there? Is it a matter of organizations not having a handle on
their inventory? Or why do you suppose that might be the case?
Yeah, I think it's two or three factors.
The first factor is that organizations have reasonably good tools.
There are reasonably good tools available and that have been available for a long time
to inventory your assets and to scan your assets to identify vulnerabilities and then to various ways to kind of prioritize your patch management.
And that's a fairly mature capability.
We expect that most organizations, particularly in the financial services sector, have that capability.
But there's something that, you know, it's not really all that new, but just kind of feels new. And that's that most of those well-established
tools don't scan what is connected to the internet. They do scan what's connected to
your internal networks behind a firewall and so forth, but they're not scanning what, you know,
Gartner and others call the external attack surface and of course
over the last several years everyone has moved more and more things to that external uh surface
using cloud services and sas services and voip services etc etc cetera. And so it's a combination of not having the visibility,
not really tracking those things as well. And so they're not well managed, they're not particularly
visible. And we see that really across infrastructure sectors. Again, we've focused
on financial services, knowing that it was really sophisticated. So potentially notable that even in
a sophisticated infrastructure sector. The second thing in your question, though, I think there's just so many
vulnerabilities. So many means, I mean, we could talk about the state of software, and I think
it's a really important conversation that's going on right now. But as a practical matter, if you're
a CIO or a CISO, there's probably more vulnerabilities than you can patch.
And prioritizing the ones that you patch is really, really hard. Of course, what we were really trying to get at through the research that we did is, and an even higher bar than that is,
it's known to be exploited and it's connected to the internet, which means that adversaries are
going to, they're going to find you and it will be exploited.
And so you've got a limited window to address that.
Well, based on the information that you all have gathered here, what's your advice?
What are the words of wisdom for folks out there trying to defend their organizations?
Probably the two most specific things that I could say is prioritize the Kevs for sure. They're not your run-of-the-mill
vulnerabilities. You must act with urgency. Adversaries are going to find them. So prioritize
those of all the vulnerabilities that you have to manage and all the difficulties sometimes it is to
take down a system and get it patched. You got to prioritize those. And then the second thing is, you probably already
have internal scans that are taking place and internal inventory management is taking place.
Don't neglect your external attack surface. Don't forget about all those cloud services,
all those web services, all those things that you may not even know are connected to the internet
that are connected to the internet. And so if you take those two pieces together, I think that getting that
additional visibility from your external attack surface and then prioritizing your KEVs, those
are my two strongest recommendations. I think there's a third thing that we're starting to
have more conversations about, and it's really about like how much external attack surface should you really have?
You know, ideally, you don't have a whole lot of things
that are connected directly to the internet.
That should be a really, really minimal set.
And it always was when everything was behind a firewall,
but it is increasingly getting bigger and bigger.
And I would say that, you know,
if you think about kind of the old days of shadow IT, that was usually things that you didn't know were running on your corporate network
or in your corporate Wi-Fi that just kind of snuck in the organization somehow. The shadow IT
has now moved to the cloud. The shadow IT is now on the internet. And most of the customers we're
talking to are surprised by the things that they find when they start to look at their external attack surface.
And so it's not really even about vulnerabilities at that point.
It's really about what am I really running?
What are the real assets?
Where are they?
Let me get those under management.
And usually it means let's minimize that attack surface as much as we can.
That's Brian Ware from Looking Glass.
A potential consideration for those entering the exciting world of cybersecurity is which color-coded team do you want to focus your energy and expertise?
There's the red team, playing the role of the attacker by trying to find vulnerabilities and break through cybersecurity defenses.
The blue team defends against attacks and responds to incidents when they occur.
And of course, there are various shades of purple in between.
For insights on what it takes to be an effective red teamer, I spoke with Rob Shapland, ethical hacker and head
of cyber innovation at Phalanx Cyber. So red teaming is more like a full-scale simulation
of a criminal attack. So in normal ethical hacking or penetration testing, you're given
one target, might be a website.
It might be the external facing infrastructure of a company.
But in red teaming, it's kind of anything goes within the confines of the law.
So I might be given the name of a company and an objective.
So go and get this file from those systems.
And I have to plan everything around that.
And everything's in scope.
All the systems are in scope.
Social engineering, so I can do phishing attacks. I can do phone calls, I can do physical intrusion of buildings, dress up as an employee, for example. And then it's all based around that
objective. If I achieve that objective, I've done the test. If I don't, then obviously there
are findings along the way, but I haven't achieved what I set out to do.
And in terms of the ethics themselves, I mean, how does that intersect with this?
So the ethics of it are I'm not a black hat hacker.
So I am not trying to install ransomware on the network.
I'm not trying to steal data and then sell it to other criminals.
The ethical part of it is I will then tell you what I did and then help you fix it.
The idea being if real life criminals do actually go for you, you've already got the defenses set up to hopefully prevent them from getting in. Can you give us an example of a
campaign that you've done here? Something that might illustrate exactly how you go about this?
Yeah, sure. So I had to do a red team exercise against a company that develops vaccines.
They wanted me to go in and attempt to steal the vaccine design off of the
network. So if you think about if you're planning this from scratch, you don't know anything much
about the company. So you're going to start off with basic stuff like looking at the company's
website, looking at their social media pages, et cetera. So on that, I basically designed a
phishing attack that tricked an employee into opening up an attachment that I'd designed to try and evade
antivirus. And I used the ruse based around their social media pages. So I found out they'd been
away on holiday. I saw in the background, one of the photos, the name of the hotel they'd been
staying in. I then Googled that hotel quickly, stole the logo they used, the font, the style
of writing and everything like that. And then sent them an email that looked like it had come from that hotel saying they'd left some valuables behind
in their room. And I used a really similar domain to what the website used. That allowed me to trick
them into opening up an attachment, which gave me access to their laptop, which then allowed me to
extract passwords and things from there. Now, the objective that the actual vaccine design was
stored on their internal network only, it wasn't very easy to get to from the Internet.
So I decided to do a physical intrusion, so a social engineering attack on their building and try and get inside.
And to do that, I dressed up as a telecoms engineer.
So high-vis jacket, bag full of tools and cables, et cetera.
Turned up at their office and basically said there's been a network issue.
We need to get me in the building to run some diagnostics.
It shouldn't take me more than half an hour.
Do you mind if I run upstairs?
And I was kind of hoping she would just let me in on the back of that.
But she said, no, I'm sorry, we can't let you in.
I need to speak to someone first.
Have you got a name of someone that called you?
So I pretended that a person in their IT team, a real employee called Adam,
had phoned me up. And the reason I chose Adam is because I knew from his Facebook page that he was on holiday. So he put something on his Facebook page saying he was flying to
somewhere in Eastern Europe, I think. And therefore, I knew he wouldn't be able to get
hold of that day. So I thought, okay, this is a great target because if she asks me,
I can give his name, she'll phone him up, won't be able to get hold of him. So I did exactly that. She couldn't get hold of him.
She then came back to me and said, look, I'm really sorry, but I can't get hold of Adam,
but I'm really busy. Could you give him a call? And she gave me his phone number.
So I took that, left the office and then phoned up my office and said, could one of you guys
pretend to be this Adam guy from their head office, phone up this receptionist and pretend
it's all right for me to come in. So one of my
team did that, convinced her, and then I got the visitor badge and everything that you need when
you're going into a building. I was just about to go upstairs and she went, oh, no, no, hold on here
for a minute. I'll call down our IT person to help you out, which wasn't great for me because
there is no network problem. I've completely made that up. It's going to be very difficult to hack
into a network, of course, with an IT person sat next to you as well. So I thought, okay,
maybe this isn't going to work. But I've done building intrusions about 200 different buildings
over the last 10, 15 years. And I know that the only time it really goes wrong is when you break
character and look suspicious and things. So I thought, okay, if I just act like an engineer
would wait around here and see what happens.
And the IT guy comes and gets me, doesn't really say anything,
takes me up in the lift.
We get to the top floor and he turns around to me and says,
the strange thing is we don't even use your company for our telecoms,
but come in anyway.
So he kind of let me in regardless, sat me down at a desk
and gave me basically unfettered access to their network
for about the next hour and a half because he went off for a meeting. And that was enough time to use the
username and password I'd stolen from the phishing attack previously, deploy that. That happened to
be someone quite senior in the company that had extended access across the network. I was then
able to access the file server that stored the vaccine design, extract that onto my laptop and
get out of the building. So it's kind of a very whistle-stop tour. There was obviously a lot more sort of surrounding work
around that, but combining phishing attacks with a physical intrusion of their building,
and then some basic network attacks was basically the red team scenario that I chose there.
You know, it strikes me that for folks who are interested in this line of work, that not only
are your technical skills important, but you've got to be
good at improvisation as well absolutely yeah yeah because if you don't include those social
engineering elements you're really limiting what you can do and you're not fully simulating what a
criminal might do as well so you know even talking about phishing scenarios you've got to be quite
creative in how you come up with the idea of how you're going to convince that person to open that
attachment that link like i said and using social social media to make that attack really believable.
But also, yeah, the physical intrusion is obviously completely different to the technical
side of ethical hacking because you're essentially being an actor. You're going in pretending to be
an engineer or an employee. You're playing a role. You're preparing the props. You're then
not panicking when you go inside. And then you're switching to your technical role once you've got into the building and trying to use that access.
So it's a really varied, interesting job. And obviously, red teaming is a little bit along
the line of the career. You don't generally go straight into penetration testing or ethical
hacking. You're straight into red teaming because you don't have the skills yet, but it's something
you can build up to. And once you do, it's an incredibly rewarding and interesting career.
That's Rob Shapland from Phalanx Cyber.
Cyber threats are evolving every second.
And staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Thank you. proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.