CyberWire Daily - Cyber spies and vulnerability goodbyes. RedLine Stealer and Vidar: the cryptkeepers. Social engineering TTPs.
Episode Date: June 22, 2023North Korea's APT37 deploys FadeStealer to steal information from its targets. Apple patches vulnerabilities under active exploitation. Access to a US satellite is being hawked in a Russophone cybercr...ime forum. Russian hacktivist auxiliaries say they’ve disrupted IFC.org. Unmasking pig-butchering scams. Social engineering as a method of account takeover. Fraudsters seen abusing generative AI. Sergey Medved from Quest Software describes the “Great Cloud Repatriation”. Mark Ryland of AWS speaks with Rick Howard about software defined perimeters. And embedded URLs in malware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/119 Selected reading. RedEyes Group Wiretapping Individuals (APT37) (Ahn Lab) Apple fixes iPhone software flaws used in widespread hacks of Russians (The Washington Post) Apple issues emergency patch to address alleged spyware vulnerability (Cyberscoop) Apple patch fixes zero-day kernel hole reported by Kaspersky – update now! (Sophos) Military Satellite Access Sold on Russian Hacker Forum for $15,000 (HackRead) Well done. Russian hackers shut down the IMF (Dzen.ru) Why Malware Crypting Services Deserve More Scrutiny (KrebsOnSecurity) Unmasking Pig-Butchering Scams And Protecting Your Financial Future (Trend Micro) Classic Account Takeover via the Direct Deposit Change (Avanan) Q2 2023 Digital Trust & Safety Index (Sift) Compromised Domains account for over 50% of Embedded URLs in Malware Phishing Campaigns (Cofense) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
North Korea's APT-37 deploys Fade Stealer to steal information from its targets.
Apple patches vulnerabilities under active exploitation.
Access to a U.S. satellite is being hawked in a Russophone cybercrime forum.
Russian hacktivist auxiliaries say they've disrupted IFC.org, unmasking pig butchering scams.
Social engineering is a method of account takeover.
Fraudsters are seen abusing generative AI.
Sergey Medved from Quest Software describes the great cloud repatriation.
Mark Ryland of AWS speaks with Rick Howard about software-defined perimeters.
And embedded URLs in malware.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, June 22, 2023. On Labs describes a cyber espionage campaign by North Korea's APT37, which deploys a new information gathering tool, FadeStealer, against its target.
which deploys a new information-gathering tool, FadeStealer, against its target.
The gang's scope seems to cover surveillance of individuals in South Korea whom Pyongyang regards as actually or potentially hostile,
North Korean defectors, human rights activists, and university professors.
The gang, known also by names that include StarCraft, Reaper, and RedEyes,
begins their attack with a spearfishing
email baited with a password-protected document. Executing the included CHM file also executes
PowerShell malware that installs a backdoor. An auto-run registry key enables the malware to
maintain persistence. The next stage involves the installation of a second backdoor,
Abley Go backdoor, which, as its name suggests, exploits the legitimate Golang-based Abley
platform. Abley Go enables subsequent privilege escalation, exfiltration, and malware installation.
Fade Stealer includes eavesdropping functionality, taking control of the affected device's microphone
to collect ambient speech and other sounds. Apple has patched two security flaws that were used in
hacks against thousands of Russian devices, the Washington Post reports. Russia's Federal Security
Service, also known as the FSB, has attributed this campaign to the United States National Security Agency,
but there's no evidence of NSA's involvement apart from the FSB's accusation. The FSB itself
has refrained from explaining how they reached their conclusion. An Apple spokesperson told
CyberScoop that the company has never worked with any government to insert a backdoor into any Apple product and never will.
In its security update, Apple says the hack allowed for the execution
of arbitrary code with kernel privileges.
Sophos writes that the two vulnerabilities have been patched
in Apple's latest update on all devices,
with the possible exception of tvOS,
which the cybersecurity firm says may just have yet to receive an update.
It is strongly advised that those with Apple devices update as soon as possible.
HackRead reports that a Russian-speaking hacker is offering access to a Maxar Technologies U.S. military satellite for $15,000.
satellite for $15,000. The account posting the offer, Labs666, offers to receive funds through the trusted third-party payment service Escrow. It's difficult to know what to make of the claim,
which seems a little excessive for credibility. Russian website Dzen.ru reported that the so-called
Darknet Parliament, composed of Killnet, Anonymous Sudan, and Arevil, claims to have taken down the International Finance Corporation's website, ifc.org.
The attack started yesterday morning, and the hacktivist auxiliaries called the DDoS attack just the beginning.
the beginning. The telegram pages for the associated groups are notably light on the usual updates regarding their cyber activities, with Killnet posting a statement that is unusually
modest of the group, saying that, unfortunately, IFC is no longer working, says Killnet. The claims
await confirmation. It's worth noting that Dzen.ru is clearly editorially on the side of the Russian hacktivist auxiliaries.
The outlet refers to the groups as Our Valiant Anonymous Sudan and Killnet,
lending more circumstantial credibility to the conclusion that Anonymous Sudan is a Russian front group.
Krebs on Security has described in detail Cryptor.biz, one of the more popular crypting services available to the criminal underworld.
Crypting, Krebs on Security explains, is disguising or crypting your malware so that it appears benign to antivirus and security products.
Cryptor.biz is a tried-and-true crypting service recommended by Redline Steeler and Vidar as one of the more reliable places a criminal can go to get malware crypted.
Krebs on Security tracks email addresses involved with Cryptor.biz
and links these, in turn, to usernames and websites associated with a particular individual.
As Krebs on Security puts it,
it makes a lot of sense for cybersecurity researchers and
law enforcement alike to focus attention on the top players in the crypting space for several
reasons. The most critical reason, Krebs writes, is that the threat actors recommending the use
of the cryptor tend to be among the most experienced and connected malicious coders on the planet.
the most experienced and connected malicious coders on the planet.
Trend Micro has published a report with their latest take on pig butchering, a type of cryptocurrency scam in which victims are tricked into investing in fraudulent cryptocurrencies.
The flow of a pig butchering scam begins with the addition of potential victims to a fake
chat group on investing. The firm writes that if a victim
shows interest in investing, the conversation evolves into a one-on-one chat. From there,
the victim is introduced to a fake brokerage service and prompted to transfer funds to its
website. This cycle repeats itself as new victims find their place in the grasp of the malicious
actor. The researchers determined that one group of pig butchering scammers
made nearly $4 million between January and March of 2023.
Avanon outlines a social engineering attack in which threat actors compromise a victim's work
email account and use the account to request a payroll information change. This specific attack
sees threat actors posing as company employees
reaching out to their respective HR departments, requesting a change in the bank account associated
with their direct deposit. Avanon notes that people change banks all the time. Sometimes
people want the money split into multiple accounts. Whatever it is, it's not unusual to receive this sort of request.
SIFT has released its second quarter of 2023 Digital Trust and Safety Index, focused on
fighting fraud in the age of AI automation and discussing the use of generative AI in social
engineering schemes and the fears from consumers surrounding the new technology.
The fears aren't entirely groundless. SIFT writes that within the last six months,
68% of consumers noticed an increase in the frequency of spam and scams,
likely driven by the surge in AI-generated content. The company's data also shows a 40% jump in blocked fraudulent content from 2022 to the first quarter
of 2023. This increase is anticipated to continue into the future. The threat associated with AI is
that it lowers the barrier to entry for fraud and social engineering scams. There's an easy
plausibility to the language it generates that outdoes the text non-native or even less gifted
native speakers produce. And finally, cybersecurity firm Cofence has found that compromised domains
make up over half of embedded URLs used to deliver malware. Compromised domains, the firm says,
are accessible by actors of varying skill levels, are effective at bypassing secure
email gateways, and are somewhat effective at fooling potential victims. Abused domains,
such as those using Google Docs or Microsoft OneDrive, made up 37% of embedded URLs. These
domains are highly effective but short-lived due to quick detection by the hosting services.
Domains that were created by the threat actors themselves accounted for just 11% of embedded URLs.
The researchers note that created domains are typically used by more advanced threat actors,
are not highly effective at bypassing secure email gateways and are highly effective at tricking victims.
So make sure that the website you're using to buy your newest swimsuit for the summer will only take your money and not any of your sensitive data.
Actually receiving the swimsuit would be nice too.
Coming up after the break,
Sergey Medved from Quest Software describes the great cloud repatriation.
Mark Ryland from AWS speaks with Rick Howard
about software-defined perimeters.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more
at blackcloak.io.
Sergei Medved is VP of Product Management at Quest Software,
provider of cloud management services, among other offerings.
I spoke with him about a trend he and his colleagues are tracking of clients moving some critical assets back on-prem,
what some are calling the great cloud repatriation.
A lot of companies are evaluating costs. A lot of companies are evaluating costs.
A lot of companies are evaluating their security posture.
And this IT environment is a living organism
in a sense that things are changing every year.
And so that naturally is putting some CISOs and CIOs
into a spot where they're starting to look
at their cloud strategies
and reevaluate them.
Can you give us some specific examples
of some of the things that are making CISOs
take a closer look at this?
Yeah, the biggest trend, I think, several years ago
was obviously security.
So a lot of public cloud providers
either did not have the capabilities
to support support latest regulatory
requirements, for example, HIPAA or country-specific data storage rules. That has changed, right? And
so I think we're now seeing a shift towards cost where, again, the CIOs and very often it's a board
conversation as well are realizing that a lot of the applications
that they migrated into the cloud in the past, maybe some of them don't really necessarily
have to be there.
And that's taking a toll on both the cost side of things, but also on the user experience,
because we're seeing more and more of those hybrid environments where your data perhaps
is on-premise
and some of the applications are running in the cloud,
and so there is obviously this data latency issue,
but also, as I said, cost.
The cloud provider cost has been fairly flat
relatively in the last several years,
but the cost of buying servers or real estate and data centers
or power supplies has been trending down steadily
in the last decade or so.
And so, again, if you're in the CIO position,
if you look at it,
you start to reevaluate and realize
that in many cases it may be more cost-efficient
for you to run your workloads,
some of the workloads on-premise.
What are some of the specific types of data
that folks are finding they want to pull back to be on-prem?
When it comes to regulation,
it's anything that's HIPAA-compliant, for example,
data or PCI or payments-related data. That's HIPAA-compliant, for example, data, or PCI, payments-related data.
That's pretty clear.
For a lot of non-regulated industries, so outside maybe of finance and healthcare,
we're seeing a lot of intellectual property data or sensitive data
that customers are starting to look to move into their private clouds or on-prem.
If you are, for example, BMW or another big major company
where 20 or 50 years ago your competitive position
was how quickly you could produce cars
and put them in the hands of the customers,
now it's more about the innovation that you're doing
at your company.
Every manufacturing company these days is a technology company and so technology is all about data. in the hands of the customers. Now it's more about the innovation that you're doing at your company, right?
So every manufacturing company these days is a technology company,
and so technology is all about data.
So you need to be looking at
which data is truly the core of your business
and which data you want to protect.
And so that can be anything
around the intellectual property, the designs,
maybe if you're a car manufacturer, maybe if you're a car manufacturer,
or if you're a services provider,
it can be your customer data as well.
Is there a concern about added complexity here
when you're running a hybrid operation?
Absolutely.
Absolutely.
So at the end of the day,
you are balancing between cost and customer experience. Because if you just
go and you try to reduce cost, and that's your primary goal and objective, then you
probably would end up with an on-prem data center somewhere. But at the end of the day,
your customer experience is also equally important, whether it's your external customer or you're
serving your internal customers, your employees, say it's your external customer or you're serving your internal customers,
your employees, say it's an HR system or whatnot.
And so we're doing software development.
And so for the CIOs, it's a balancing act.
It's making sure that the applications that you, whether you put them into the cloud or
their own premise, the latency of those applications is acceptable.
The data is flowing quickly between them.
You're not suffering from outages.
Because if you put data in or your applications
between the cloud, hybrid environment cloud and on-prem,
you're just expanding both the attack surface
from a cybersecurity standpoint,
but you're also expanding the weak spots of your architecture
or the points of failure.
Do you suppose we'll see some ebb and flow with this
between the cloud providers and the on-prem providers?
I could imagine waves back and forth.
As cloud got more popular, then the on-prem got less expensive
because it wasn't as much in demand. But now if we're swinging back to on-prem, maybe the demand
makes that a little more expensive and cloud prices go down. Do you think there's anything
to that line of thinking? Yeah, absolutely. As you said, it's ebbs and flows. Again,
with hyperscalers in the past, they've taken steps to meet government and industry requirements. So specific
cloud services are now available from major players, available
for classified data, HIPAA compliance, government data,
country-specific requirements, especially in some
Asian countries and in Europe. And this
allows for many of the businesses to, again,
reconsider moving data back into the cloud in some cases, right?
Storing your backups, for example, is a good example.
Very often, in the past, the companies kind of flocked to the cloud
and they realized that there is a risk of misconfiguration in the cloud, right?
Something that would place your data,
your backups in the cloud at risk.
They moved it to on-premise,
to their private clouds and private environments.
Now again, they're starting to look back
at the cloud offerings
because Azure, Microsoft, AWS, Amazon, and Google
have stepped up their game
and offering new capabilities that allow customers
to store their data in a mutable way.
What are your recommendations for people to come at this,
to be able to properly set their priorities
and balance their approach here?
It's all about planning at the end of the day.
Large companies like Gartner and Forrester are doing a lot of advisories
in this space, and I think Gartner even has a market guide for it.
But at the end of the day, again, without the purpose of planning,
the cloud can be more expensive, it can be less secure.
So that's the result.
The cloud repatriation is the result of it.
So proper broad mapping for the workloads,
proper planning for migrations when companies move their data,
whether it's on-premise or to the cloud,
that's a key component of making sure that the future workloads
and the data are both secure and delivering on the promise of the customer experience and cost.
That's Sergei Medved from Quest Software.
In our continuing series of interviews,
my CyberWire colleague Rick Howard gathered at the recent AWS Reinforce conference.
Rick checks in with Mark Ryland of AWS.
The topic of their conversation is software-defined perimeters.
The CyberWire is an Amazon Web Services media partner,
and in June 2023, Jen Iben, the CyberWire's senior producer and I,
traveled to the magical world of Disneyland in Anaheim, California,
to attend their AWS Reinforced Conference
and talk with senior leaders about the latest developments in securing the Amazon cloud.
I got to sit down
with Mark Ryland, the director of the Office of the Chief Information Security Officer at AWS,
to talk about Amazon's version of a software-defined perimeter, a concept that I've
been talking about for a few years now that can greatly enhance any organization's zero-trust
journey. Amazon calls their version verified access, coupled with a specially designed open
source authorization language that they call CEDAR. There's a number of use cases that when
we think about zero trust, we kind of break it into sort of three general use cases.
One is human access to applications. Another is software to software scenarios where, again,
you want even your software to be validated each time it calls and say another microservice.
And then there's another kind of broad category
that we can think of as either IoT or industrial IoT
or kind of that whole topic of, again,
it's a software-to-software scenario,
but it's often involving things like factory floor operations,
smart highways, smart buildings, all that kind of part.
And that also is considered, broadly speaking,
one of the primary use cases.
So in that first use case,
which is a very common one and one with a lot of focus,
is I have human users.
They need to access applications,
typically like enterprise apps.
And historically, we would do that with VPN technology, right?
So you log into a VPN.
Now I'm inside the corpnet,
and now I have the same access as I was on the physical network.
But again, often that access is very broad and very maybe inappropriately broad.
In hindsight, it's ridiculous that we did it that way, right?
That's right.
Although we do have in our principal engineering community at Amazon, we have a tenet, which is respect went when before.
So you have to understand there were probably reasons
that made sense at the time.
But in any case, you're right.
And so what verified access does
is it gives you that,
think of it as a smart proxy capability
that you come with your identity.
So you use your SAML token
or your OIDC token
that you got from Okta or Azure AD
or some identity provider
and you show up at this edge capability
and say, hey, I want to access this
enterprise application. And there we
run a series of security checks on
each and every request. So again, it's
this constantly being verified.
Things like device health, network
location, all these different parameters, identity,
the claims that come in through the identity provider,
augmenting those claims with other
kinds of trust signals. And then we run the CEDAR policy. And CEDAR is a very exciting launch
as well. Yeah, it goes hand in hand. This week, which is we're both using it inside our services,
but also open sourcing the language and the runtime so that anyone can use it, which is a
very optimized authorization language. And the Cedar policy then will tell you,
and that's kind of the security team has decided
from under what circumstances can users,
if you have an MFA, you can do certain things.
If you don't, there's other things you could do.
You make those initial kind of high-level authorization decisions.
Then you pass the identity claims back to the backend application,
which then kind of runs as perhaps as it did before,
say, as if you'd VPN'd in.
Now, over time, we expect that customers
will begin to externalize authorization decisions
of their apps, also using Cedar,
and another service we launched,
which we call Verified Permissions.
So you can think of Verified Permissions
as a service where if I'm upwriting
or rewriting an enterprise app,
I will externalize authorization from my business logic.
Take it out of my business logic.
That's not where it belongs.
It should be in a system designed specifically for permissioning.
And AVP, MSI Verified Permissions, is that service.
Again, it's a Cedar language,
central control of your policies and management of policies.
But the business logic is no longer,
the authorization is no longer embedded in business logic,
which is a much better way to build enterprise apps.
So let me try to summarize what Cedar is.
It's a programming language designed specifically
to handle IAM functions, right?
And doesn't do anything else.
It's just, you know, Mark is authorized
to get to this workforce and Rick isn't kind of
things. Right. And you might ask a reasonable question. Do we need to invent another one?
There are a couple of them out there. You and I have a little bit of gray hair. So we remember
Zachamal, which has been around for ages. And more recently, the OPA, Open Policy Agent, has a
language called Rego. We looked hard at those. We didn't really want to invent something new,
but we decided this was such an important area
and for very specific reasons,
those just didn't really meet the requirements.
We also have a third thing option, right?
We have an IAM policy language for our APIs
and that was another option.
But looking at all those options
and we made a very strategic decision
that this is so important
that we really have to build a very optimized language, optimized in a couple of ways. Number one, the language
itself has got to be expressive and easy to read, but not too expressive because if you give someone
kind of a Turing complete language, you can write things like loops that never end. Yeah, which I've
done many times, yeah, in my younger days. Yes, and so you have to be able to prove
that these are programs that will stop executing at some point.
And if they won't, then you reject them in your language verification.
And that's the other key point is that the team that built this
was half software engineers with expertise in authorization systems
and it was half formal verification computer scientists,
people that do this kind of automated reasoning,
we call it, or formal verification,
applying their expertise to both the design of the language
so that the language itself can be,
the intent you express can be formally verified
as you essentially upload it
and reject it if it, for for some reason doesn't have the proper
computational constraints but the implementation of the language is also formally verified so every
time we do a code check and rebuild of this new feature whatever then there's a bunch of formal
verification proofs that run against every single code change so we've used it both to make to
increase the certainty of the correctness of our implementation, but also the design of the Cedar language was heavily influenced
by the need of formal verification.
So that makes it, I think, quite unique.
So the Cedar language in, what was the name of the product again?
Verified Access.
Thank you.
It's only for Amazon right now.
You guys are looking over the horizon,
so you might be able to use the same ideas
for other kinds of services?
Absolutely, yeah.
And it's already seeing uptake in the open source community
where there's a couple of ISVs out there
that already have adopted it
for their kind of authorization as a service systems
that they have in market.
And that's very exciting to see.
And we help customers use it internally.
Even if you don't use our cloud service
just use this very high quality
very carefully engineered
open source language
and set of libraries
and tests and proofs and so forth
that you can just build right into your application
if you want to do that
so we're very excited about
helping the industry to solve a problem
one other thing I'll mention is that
there's been this long-going debate
about role-based access control versus attribute-based access control,
and Cedar was designed very consciously to support both models very well.
It's not an either-or.
Just do what you got to do.
That's Mark Ryland from AWS speaking with the CyberWire's Rick Howard.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire Thank you. preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin
and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.