CyberWire Daily - Crooks phish for guests; spies phish for drone operators. ZenRAT is used in an info-stealing campaign. More MOVEit-related incidents (some involving Cl0p). DeFi platforms hit. The UK hunts forward.
Episode Date: September 26, 2023An advanced phishing campaign hits hospitality industry. An information-stealing campaign deploys ZenRAT. More MOVEit-related data breaches are disclosed. Mixin Network suspends deposits and withdrawa...ls. The OpenSea NFT market warns of third-party risk to its API. Phishing for Ukrainian military drone operators. Mr. Security Answer Person John Pescatore shares thoughts in Cisco acquiring Splunk. Ann Johnson from the Afternoon Cyber Tea podcast interviews Deb Cupp sharing a lesson in leadership. And the UK adopts a hunt-forward approach to cyber war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/184 Selected reading. Luxury Hotels Major Target of Ongoing Social Engineering Attack (Cofense) ZenRAT: Malware Brings More Chaos Than Calm (Proofpoint) More MOVEit-related data breaches are disclosed. (CyberWire) Mixin Network suspends deposits and withdrawals. (CyberWire) OpenSea NFT market warns of third-party risk to its API. (CyberWire) Threat Labs Security Advisory: New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads (Securonix) Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals (The Hacker News) British Army general says UK now conducting ‘hunt forward’ operations (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An advanced phishing campaign hits the hospitality industry.
An information-stealing campaign deploys Zenrat.
More Muvit-related data breaches are disclosed.
Mixin Network suspends deposits and withdrawals.
The OpenSea NFT market warns of third-party risk to its API.
Phishing for Ukrainian military drone operators.
Mr. Security Answer Person John Pescatori shares thoughts about
Cisco acquiring Splunk. Anne Johnson from the Afternoon Cyber Tea podcast interviews Deb Kupp
sharing a lesson in leadership. And the UK adopts a hunt-forward approach to cyber war.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, September 26th, 2023. Cofence is tracking a well-crafted and innovative social engineering attack
that targets the hospitality industry to deliver advanced information stealer malware.
The campaign is ongoing, with 85% of the phishing emails observed within the past 60 days.
The researchers state, as of now, the campaign only targets the hospitality sector, primarily
targeting luxury hotel chains and resorts, and uses lures relative to that sector, such as booking
requests, reservation changes, and special requests. Proofpoint this morning reported that a new malware strain, ZenRat,
is currently being distributed by bogus installation packages
misrepresenting themselves as coming from the Bitwarden password manager.
How ZenRat is being distributed is unknown,
but once it's in the victim's device,
the remote- remote access Trojan
exhibits information-stealing capabilities. ZenRAT is unusual in that it specifically targets
Windows devices. Users of other operating systems who follow the malicious link the fake installer
offers are simply redirected to a benign site. What threat actor is behind the rat and what information they're seeking
to collect remain unknown, but Windows users are advised to be on their guard.
Three more organizations have disclosed data breaches related to exploitation of issues
with the widely used Movit software. JDSupra reports that Sovos Compliance LLC has determined that six more of its clients may have data exposed via exploitations of Move-It file transfer software. Bangor Savings Bank and Pan American Life Insurance Group and Sealink
may have seen the names and social security numbers of their own customers accessed by unauthorized parties.
Children born in Ontario between 2010 and 2023 and their mothers
may have had their personal information exposed in a CLOP ransomware attack
against the Better Outcomes Registry and Network,
BORN, a provincial government agency in Ontario. Bleeping Computer reported that up to 3.4 million
people may have been affected. The data exposed includes full name, home address, postal code,
date of birth, and health card number. Some affected parties also experienced compromise of detailed medical information.
The third organization is the National Student Clearinghouse.
According to Security Week,
students at some 900 colleges and universities
may have had their personal data exposed
through the National Student Clearinghouse's use of Move-It.
It was a ransomware attack.
The data exposed varies from student to
student. Bleeping Computer reports that Mixin Network, which describes itself as a free and
lightning-fast peer-to-peer transactional network for digital assets with more than $1 billion
total value secured, announced Monday that it had suspended deposits and withdrawals after it was
attacked Saturday. The attack is said to have cost Mixon's users some $200 million.
Coin Telegraph reported Monday that Mixon founder Zhidong Feng said that the core asset stolen was
Bitcoin. Developers would compensate users up to a maximum of 50% for the theft,
with the remainder distributed to the victims as tokenized liability claims.
Mixin would in time repurchase these with its future profits.
Decrypt points out an issue a number of blockchain mavens have complained about.
From its description of the incident,
issue a number of blockchain mavens have complained about. From its description of the incident,
it might appear that Mixin was less decentralized than people may have believed.
Decrypt reports that OpenSea, a large online marketplace for non-fungible tokens, that is,
NFTs, has warned users of its API that they should swap their keys. Whether they do so or not, all keys will expire on October 2nd.
It's a case of nth-party risk.
Bitcoinist reports that on Friday, one of OpenSea's vendors,
the blockchain data analytics company Nansen,
disclosed that one of its own third-party vendors had been compromised.
The unnamed vendor had informed Nansen that an unauthorized party had gained admin rights to an account used to provision customers' access on
their platform. Just under 7% of Nansen's customers were said to have been affected.
So, to OpenSea's customers, it's a case of risk within risk within risk.
Securonics is following a phishing campaign
that's targeting the Ukrainian military
with malware-laden attachments posing as drone instruction manuals.
The threat actor deploys maliciously altered Microsoft Help files
to deliver the malware.
The payload is an obfuscated binary that gets XORed
and decoded to produce a beacon payload for Merlin agent malware.
Once the payload establishes communication back to its C2 servers, the attackers would have full
control over the victim host. While the attack chain is quite simple, the attackers leverage
some pretty complex TTPs and obfuscation methods in order to evade detection. Securonics tracks the campaign as Stark Vortex.
The nature of the fish bait shows that Ukrainian military units,
drone users in particular, are being targeted.
Securonics notes that the social engineering aspect of the campaign
allows the documents to bypass technical defenses.
Lieutenant General Tom Copinger Sims,
Deputy Commander of the United Kingdom Strategic Command,
where he holds responsibility for the Ministry of Defense's
offensive and defensive cyber capabilities,
told the Record in a long interview that his command has,
on the strength of lessons learned from Russia's hybrid war against Ukraine,
decided to adopt a hunt-forward strategy similar to that followed by U.S. Cyber Command.
And we say, good hunting, General.
Coming up after the break, Mr. Security Answer Person John Pescatori shares thoughts about Cisco acquiring Splunk.
Ann Johnson from Afternoon Cyber Tea interviews Deb Kopp, sharing a lesson in leadership.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak. Person.
Mr. Security Answer. Person.
Hi, I'm John Pescatori, Mr. Security Answer Person.
Today's question, I just read that Cisco is acquiring Splunk for a huge amount of money.
Does that make sense to you?
The only reason large company A buys company B is to convince investors that company A's financial value will go up. 70% of the time that does not happen. Even if it does, 70% of the time
customers of company B's products end up unhappy. The investors in publicly traded companies are stockholders,
and increased value means the stock price goes up,
which often has nothing to do with the quality of a company's products.
For non-publicly traded companies,
it is venture capitalists and other speculative financial investors
who want reasons to increase the claimed valuation of the startup
to justify their positions.
Customers are not investors and are almost never top of mind in merger and acquisition decisions,
let alone in huge deals like this one, which is potentially the fifth largest in history.
In this particular case, investors these days favor sticky software subscription-based revenue, like Splunk's, over lumpy hardware-type revenue, like Cisco's, unless the stock is Apple, of course.
Investors have also seen that cybersecurity stocks have higher growth potential and are more recession-proof than broader IT stocks like Cisco's.
stocks like Cisco's. By buying Splunk, Cisco just about doubles the portion of its revenue that is cybersecurity with a big infusion of software subscriptions. But let's do the unthinkable and
consider the users of Splunk's products. Will this acquisition be good for them? Will Cisco make
decisions that make Splunk either a better or a more cost-effective SIEM solution?
either a better or a more cost-effective SIEM solution?
Does anyone remember Cisco Mars?
Cisco has been in the SIEM market before
through licensing of software
first from NetForensics
and then by acquisition of Protego
over 15 years ago.
Cisco never executed very well
in the SIEM market.
It is actually hard for infrastructure companies
like Cisco to focus on the unique drivers in cybersecurity.
In this particular case, Splunk and Cisco also compete in what Gartner calls the application performance monitoring and observability market that is even larger than the SIEM market and has the potential of even faster growth in tandem with what everybody's calling digital experience management,
a very sexy-sounding market.
That potential is surely one of the reasons Cisco is paying such a high premium for Splunk.
So, the bad news is, Splunk may become much better at observability for applications and digital experiences,
but not so much in security.
But there is a possible good news scenario.
Better integration between security operations centers and network operations centers is an
underutilized force multiplier. Using common tools and dashboard for both network application
performance and security event monitoring can have a lot of benefits when done right.
You can use the news of this gigantic acquisition
to try to drive better integration between your NOC and SOC teams.
Of course, from our perspective,
done right means reducing false positives and false negatives seen by analysts
and not so much worrying about maximizing smiley faces and thumbs up from users.
Getting that balance right is not easy.
If you're a Splunk
customer, make sure Cisco gives you a roadmap for how that's going to happen. One final thought.
The real cost of switching security products is never as high as we often think. If you don't
get reassurance from Cisco or any other security product vendor, don't be afraid to look at alternatives and make a change. Thanks for listening. I'm John Pescatori,
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on The Cyberwire.
Send your questions for Mr. Security Answer Person to questions at thecyberwire.com.
Microsoft's Anne Johnson is host of the Afternoon Cyber Tea podcast right here on the Cyber Wire podcast network.
In a recent episode, she interviewed Deb Kupp,
sharing a lesson in leadership.
Here's a segment from that show.
Today, we have a very special episode of Afternoon Cyber Tea.
I am thrilled, excited to be joined by Deb Kupp, who is the president of Microsoft Americas.
Deb leads the $70 billion business responsible for delivering the full product and services
portfolio of Microsoft to customers based in the United States, Canada, and Latin America.
Welcome to Afternoon Cyber Tea, Deb. I'm just thrilled to have you on. I'm so happy to be here. It's great to be here with you, and thank America. Welcome to Afternoon Cyber Tea, Deb. I'm just thrilled to have you on.
I'm so happy to be here. It's great to be here with you, and thank you.
So what does Team Crazy mean to you, and how did you end up centering on that as part of
your leadership philosophy? Yeah, it's, you know, I think it just describes me well. And I think
back to earlier when I was talking about sports. I mean, I grew up playing sports and all team sports, by the way. So I always felt inspired by what teams can create together. And you learn so much being an athlete
around people playing their positions and recognizing that everybody has strengths and
everybody has weaknesses or areas of opportunity. And when you put people in positions to do their
very best and the team works exceptionally well together, you can accomplish things you could never accomplish as an individual.
And it's powerful.
It's the powerful watching people achieve things collectively together that they didn't think they could.
You know, I feel like I'm an arranger.
I like to sort of organize people.
And I believe I can see strengths and I have an ability to sort of get a sense of where they
belong and putting them in places to let them thrive. That is, it gives me energy. I think it
gives me an opportunity to say team is everything. And I think it's important the way teams come
together collectively. How did you get to your first board service and what surprises were there?
Yeah, sure. So, oh, it was
an interesting process, Anne, and I think it's very different depending on what type of board.
So I think I would first start by saying when people say, I want to join a board, I think you
have to understand what you're actually saying. So part of it is the demystifying is also somewhat
of understanding just what a board is. So there's nonprofit boards, there's for-profit boards,
there's startup boards, there's boards of public companies.
So there's all different types of boards.
So I think one thing I always encourage people to do
is just learn about the opportunities
across different types of boards.
Most people will start in a nonprofit or a local board.
It could be anything that you just have an opportunity
to step in and provide some guidance or leadership.
And I'll get to in a second what that actually looks like.
And I think it's, as we know,
it's a great opportunity to kind of get outside your company
or your existing job and kind of both contribute
in a different way and also learn,
which I think is pretty amazing.
You know, when you think about board
and you think about business leaders, how do organizations improve the representation of
women at very senior levels, including boards? And do you have a bold call to action here?
Yeah. You know what I think, Anne? We all know a lot of people. And so one of the things that
I committed to after I joined the board is I met a lot of people through that process and I realized
I know a lot of amazing women who also want to be on board. So I personally just took a list of
people. I emailed all the contacts that I made in recruiting firms, other companies. And I just
said, Hey, these, here are some amazing women. So as you are looking for, if you're searching for
another board candidate at another company, I'd ask you to give these folks a call. It was so easy. You
create connections for upwards of 20 people in a minute. So if everybody just did that, like I am
so grateful as I started my board journey for the women who talked to me before I even knew what I
wanted to do. And that was the other, that's the other call to action I would have. If somebody calls you and says, hey,
can you just talk to me about what it means and how I do this? Take the call. Help somebody out.
If everybody does that, it doesn't matter if you're a man, woman, doesn't matter. Take the
call, help somebody else out, provide a list of incredibly qualified people that you know you know
and pass them around.
That's Anne Johnson from the Afternoon Cyber Tea Podcast interviewing Deb Kupp. You can find the Afternoon Cyber Tea Podcast right here on the Cyber Wire Podcast Network. Thank you. fault-deny approach can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking. Here's an RBC student offer that turns a feel-good moment into a feel-great moment. Students, get $100 when you open a no-monthly-fee
RBC Advantage Banking account, and we'll give another $100 to a charity of your choice.
monthly fee RBC Advantage banking account and we'll give another $100 to a charity of your choice.
This great perk and more only at RBC. Visit rbc.com slash get 100 give 100. Conditions apply.
Ends January 31st, 2025. Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities up to $500,000 in total contributions. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you.