CyberWire Daily - Cyberespionage and developments in the cyber underworld, including an offering in the C2C market. Russian hacktivist auxiliaries stay busy (and so do their masters in the organs).
Episode Date: July 21, 2023The Lazarus Group targets developers. Threat actors target the banking sector with fake LinkedIn profiles and open source supply chain attacks. Vulnerabilities reported in OpenMeetings. HTML smuggling... is sold in the C2C market. Johannes Ullrich from SANS describes attacks against niche web apps. Our guest is Damir Brecic of Inversion6 discussing the privacy and security concerns of Meta's new Threads app. And Romania's SVR reports a pattern of Russian cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/138 Selected reading. GitHub warns of Lazarus hackers targeting devs with malicious projects (BleepingComputer) Cyberattack on GitHub customers linked to North Korean hackers, Microsoft says (Record) Security alert: social engineering campaign targets technology industry employees (The GitHub Blog) First Known Targeted OSS Supply Chain Attacks Against the Banking Sector (Checkmarx) A Twist in the Code: OpenMeetings Vulnerabilities through Unexpected Application State (Sonar)Â Fresh Phish: HTML Smuggling Made Easy, Thanks to a New Dark Web Phish Kit (INKY)Â KillNet Showcases New Capabilities While Repeating Older Tactics (Mandiant). Pro-Russian hacktivists increase focus on Western targets. The latest is OnlyFans. (CyberScoop). Anonymous Sudan DDoS strikes dominate attacks by KillNet collective (SC Media) Romanian Intelligence General: All Russian secret services attempted cyber attacks against Romania (ACTMedia) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Lazarus Group targets developers.
Threat actors target the banking sector with fake LinkedIn profiles and open source supply chain attacks.
Vulnerabilities are reported in open meetings.
HTML smuggling is sold in the C2C market.
Johannes Ulrich from SANS describes attacks against niche web apps.
Our guest is Dimir Bresic of Inversion6, discussing the privacy and security concerns of Meta's new Threads app.
And Romania's SVR reports a pattern of Russian cyber attacks.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, July 21, 2023.
GitHub has uncovered a low-volume social engineering campaign directed at employees of technology firms.
This campaign employs a combination of repository invitations
and malicious NPM package dependencies to compromise personal accounts.
The group responsible for this activity is believed to be associated with North Korean objectives
and goes by the name Jade Sleet, according to Microsoft Threat
Intelligence, and Trader Trater, as identified by the U.S. Cybersecurity and Infrastructure
Security Agency. Jade Sleet primarily targets individuals linked to cryptocurrency and blockchain
related organizations, while also focusing on vendors used by these firms. The attack commences with threat actors impersonating developers or recruiters
through fake or compromised accounts on platforms such as GitHub, LinkedIn, Slack, and Telegram.
After gaining the victim's trust, the attackers persuade them to collaborate on a GitHub repository.
After that, the victim unknowingly clones
and executes the repository,
which contains the malicious NPM dependencies.
GitHub confirms that no systems on their platform
or NPM were compromised during this campaign.
Checkmarks reports on the first known
open-source software supply chain attacks
that are aimed at the banking
sector. In one instance, a threat actor masquerading as a bank employee utilized a fake LinkedIn
profile to distribute malicious packages to other bank employees. These packages scan the victim's
computer operating system and execute a second malicious NPM package accordingly. Notably, the Linux-specific encrypted file used in this attack
managed to avoid detection by popular scanning service VirusTotal,
enabling the threat actor to maintain a concealed presence on Linux systems.
The attackers exploit Azure's CDN subdomains,
even incorporating the targeted company's name in the subdomain, to deliver a second-stage malicious file named Havoc Framework.
This approach cleverly bypasses traditional denialist methods, utilizing Azure's legitimacy as a service.
Havoc framework known for evading standard defenses like Windows Defender has become a preferred toolkit for threat actors, replacing legitimate options such as Cobalt Strike, Sliver, and Brute Retail.
Despite the discovery and removal of the malicious open source packages, Checkmarks anticipates the continuation of supply chain attacks, especially against banks.
Researchers at security firm Sonar have identified three vulnerabilities in the OpenMeetings web conferencing application.
Exploitation of these vulnerabilities could lead to the acquisition of administrative
privileges and the execution of remote code.
The attackers can hijack an OpenMeetings instance and execute
commands on the underlying server, requiring only an account that they can create within
the default configuration. These vulnerabilities were addressed with the release of Apache OpenMeetings
7.1.0. Researchers at Inky have detected a phishing kit being employed for HTML smuggling campaigns.
In these attacks, cybercriminals use personalized emails to deceive recipients about urgent issues with their company benefits, payroll, or health insurance accounts.
features, such as harvesting user credentials, using parts of the recipient's email address in the sender's display name and email subject, containing fake confidentiality disclaimers,
and encoding the malicious script to evade email scanners. This phishing kit is available on the
dark web's criminal-to-criminal market, where advanced hacking tools are commodified and accessible to less skilled cyber criminals.
Anonymous Sudan, a group associated with Russian intelligence services, continues its distributed
denial of service attacks against various Western organizations. Their recent target,
online subscription service OnlyFans, fell victim to their opportunistic disruption,
only fans fell victim to their opportunistic disruption, albeit without significant strategic implications. Mandiant's research links Anonymous Sudan to the larger group Killnet, and while
direct cooperation with Russian security services remains unconfirmed, the targets consistently
align with Russian state interests. The researchers foresee further DDoS attacks
from Kilnet and its affiliates,
expecting them to become more audacious in their operations.
The hacktivist auxiliary's style
is characterized by swagger and swank,
echoing the overarching message
of Russian influence operations,
fear us, take us seriously, and be afraid.
And finally, Romania's intelligence service, the SRI,
has reported encountering cyberattacks from all three major Russian intelligence services,
the SVR, GRU, and FSB, since Russia's invasion of Ukraine in February 2022.
The attacks demonstrate the persistent cyber threat posed by Russian
intelligence across various sectors and countries.
Coming up after the break, Johannes Ulrich from SANS describes attacks against niche web apps.
Our guest is Demir Bresic of Inversion6,
discussing the privacy and security concerns of Meta's new Threads app.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Social media giant Meta recently released their Threads app and platform to much fanfare and debate.
Many see it as a direct shot across the bow of Twitter, where things are not what they once were.
Demir Bresic is CEO at security firm Inversion6, and I reached out to him for thoughts on Threads.
So in essence, it's a microblogging app, very similar to Twitter,
allows folks to communicate both on a personal as well as on a professional level,
typically through a mobile application.
And so what are some of the specific concerns that you have with Threads as a security professional?
I took a look at it more from a corporate perspective,
right? So in today's day and age, a lot of folks are using a personal device or personal cell phone,
but also having that ability and connection to their work life. So I really looked at it more
from that perspective than anything else. And one of the things I noticed is the fact that it really doesn't encrypt any
other messaging, which Twitter does. Also, I had a few concerns around their actual data privacy
policy. I ended up looking up on Wired.com, and there's actually a great article there with
regards to some of the information that threads could be collecting, such as your purchase histories, but also your financial information,
all of your contact information, your browser history, so on and so forth.
So because there isn't an encryption in place, if you will, the mobile apps can become very
susceptible.
One of the biggest threats there would be something like a man-in-the-middle attack, for example.
Yeah, and I suppose it's fair to say that Meta's reputation precedes them
when it comes to gathering up people's personal information.
Right, exactly, right.
So it's that kind of old-school George Orwell 1983 sort of fear, right,
where Big Brother's watching everything, and now we're being, to a certain 1983, you know, sort of feared, right? We're big brothers watching everything.
And now we're being, to a certain extent, profiled, which on one hand can be somewhat
interesting, right?
So when my wife and I are walking around, you know, let's say in a mall type setting
or, you know, we're visiting a new location, we may get an occasional pop up here or there
with regards to, hey, there's this, there's this sale going on here or whatever.
And so from that aspect, it feels not that threatening.
But then all of a sudden, if you're in a more work-related aspect, or let's say you're traveling for business, and all of a sudden you could be starting to get suspicious links sent your way or some sort of suspicious advertising coming your direction that you haven't even asked for, nor are you prompting on your own.
I'm curious, your perspective as a CISO, the notion of prohibiting users from accessing an app like this versus an educational approach or trying to provide
guidance. I guess I'm thinking about the potential for shadow IT, where if you tell somebody no,
that can make it even more alluring. Yeah, agreed. I think first and foremost,
it always starts out with strong awareness, right? So if you're going to be bringing on
an application onto your personal device, it has to meet a minimum requirement. And I think that's up to
those individual businesses. You know, let's say, you know, hypothetically, let's say they decide,
hey, it has to have some sort of an encryption capacity or capability similar to like a Twitter,
for example. You know, that could be one of the requirements. Making them aware of what some of
the potential harms can be, making them aware of the threats that are out there.
The one that I mentioned earlier was the man-in-the-middle attack.
They could become very susceptible to that in their general lives, not necessarily just from a business perspective, but also what type of content are you sharing?
What level of sensitive information to critical information are you sharing? What level of sensitive information to critical information are they
sharing? So again, it's a level of due diligence that companies need to start to become much more
diligent on, especially in the dawn of new types of apps like this that are going to be coming out.
And I think with this new notion of these,-unquote Twitter killers, which technically Threads is starting to become a major competitor for them,
this is probably going to become more of a newer norm
where folks are going to have a kind of 31 flavors, if you will.
Not to loosely use that Baskin-Robbins aspect,
but you know what I'm saying.
There's going to be folks who are going to have all sorts of options going forward. And it's a matter of doing the appropriate due diligence
in their processes of making sure it meets, first of all, their company's policies,
but then also their own personal policies, right? If they have children, what are they exposing
their children to? Who are they allowing their kids to communicate with? So on and so forth.
I think a lot of that comes down to personal choice. So it's a blend of your personal and the corporate policies
of the organizations you work with. That's Damir Bresic from Inversion6.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Center.
Johannes, it's always great to have you back on the show.
I know you and your colleagues there at SANS have been seeing some interesting scans for vulnerabilities, looking at some web applications.
What's going on here?
Yeah, what's really happening is that there are sort of these, I call them niche web applications.
They're important.
They're not that widely used.
web applications.
They're important.
They're not that widely used.
So the problem is a little bit that vulnerabilities in those web applications
are not widely reported on.
So they're often overlooked in your
vulnerability management process.
We saw a couple here, Apache MiFi,
that's sort of a, or NiFi, that's an
application that's sort of used for
machine learning to prepare data,
GeoServer, something to look up geographic coordinates and properties, That's sort of a NiFi, that's an application that's used for machine learning to prepare data.
GeoServer, something to look up geographic coordinates and properties, and then also some Jira plugins.
So these are all important systems that usually hold important data, but not very commonly used.
And the scans for these vulnerabilities really sort of disappear with all the noise that you have from all the bots that are looking for IoT devices. So everybody kind of focuses on the IoT devices, which are often old vulnerabilities, like for systems that are still vulnerable.
They probably have already been exploited multiple times. And these newer vulnerabilities
in those niche applications are often overlooked in what attackers are then doing with them.
So what's the solution here?
I mean, is it as simple as,
if you're using some of these niche applications,
you should be looking through your logs
for things that are specifically looking for them?
Yeah, I think it really comes down
to the good old inventory problem,
which, of course, is hard.
It's hard, particularly for applications like this,
because this may be something that developers just started up to experiment with.
There may not necessarily be an official project yet associated with it.
It's just a developer thought, hey, this is a great application,
it can help us in a certain project that we're talking about.
Let me just play with it to see how it works and how useful it is. But then, of course, those applications
stay up and running. They're not really being taken down.
In particular, if you're using cloud systems and such
to set up these applications, they may not sort of have
your normal perimeter protection that you're sort of used to for other applications.
Is this a particular concern for folks in almost perimeter protection that you're used to for other applications.
Is this a particular concern for folks in the critical infrastructure or manufacturing spaces?
I would imagine that those are folks who may be using specialized bits of software.
I think that's part of it.
It's also just software development in general.
Because software developers tend to use fairly specific pieces of software,
like Jira, for example, that's often used to manage development teams.
While Jira is well known, I wouldn't really call it a niche application,
but in these plugins that you're installing,
that sort of adds another complication to the inventory problem.
Now you not only have to track that you're running Jira,
you have to know what plugin you're using.
So for the folks who are charged with protecting their systems here,
you mentioned this could be an inventory problem. Is this a matter of
working with the folks on your team so that you know what they're running?
Yes, I think that's very much it. It's informing them about these vulnerabilities
and the need to track these applications.
Just the awareness of showing them,
hey, this is how these applications are being actually attacked.
Setting up some sensors in front of these applications
can help just to show that they are being attacked.
Hopefully that will then tell developers
and others that are setting these applications up
that they really need the cooperation
of the security department, of your IT department,
whoever is responsible for that,
in order to adequately secure these applications.
All right.
Well, Johannes Ulrich, thanks for joining us. Cyber threats are evolving every second and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default- default deny approach can keep your company safe
and compliant. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Joshua Miller from Proofpoint.
We're discussing their findings on Welcome to New York, exploring TA-453's foray into LNKs and Mac malware.
That's Research Saturday. Check it out. We'd love to know what you think of this podcast. The N2K and podcasts like
The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at
n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is
Trey Hester with original music by Elliot Peltzman. Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, Thank you.