CyberWire Daily - Cyberespionage and used car salesmen. Email extortion through embarrassment, not encryption. The personal is the professional. And a look back at Patch Tuesday.
Episode Date: July 12, 2023A Chinese threat actor hits US organizations with a Microsoft cloud exploit. Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures. A RomCo...m update. Beamer phishbait, email extortion attacks and digital blackmail. A new report concludes companies allowing personal employee devices onto their network are opening themselves to attack. Tim Starks from the Washington Post looks at Microsoft’s recent woes. Our guest is Eyal Benishti from IRONSCALES with insights on business email compromise. And a July Patch Tuesday retrospective. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/131 Selected reading. Mitigation for China-Based Threat Actor Activity (Microsoft On the Issues) Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email (Microsoft Security Response Center) Chinese hackers breach U.S. government email through Microsoft cloud (Washington Post) U.S. Government Emails Hacked in Suspected Chinese Espionage Campaign (Wall Street Journal) Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers (Cisco Talos Blog) Storm-0978 attacks reveal financial and espionage motives (Microsoft Security) Microsoft: Unpatched Office zero-day exploited in NATO summit attacks (BleepingComputer) Diplomats Beware: Cloaked Ursa Phishing With a Twist (Unit 42) Russian hackers lured embassy workers in Ukraine with ad for a cheap BMW (Reuters) Threat spotlight: Extortion attacks (Barracuda) The SpyCloud Malware Readiness And Defense Report (SpyCloud) July 2023 Security Updates (Security Update Guide - Microsoft Security Response Center) Microsoft Releases July 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws (BleepingComputer) Fortinet Releases Security Update for FortiOS and FortiProxy (Cybersecurity and Infrastructure Security Agency CISA) Adobe Releases Security Updates for ColdFusion and InDesign (Cybersecurity and Infrastructure Security Agency CISA) Apple's Rapid Security Response Patches Causing Website Access Issues (SecurityWeek) SAP Security Patch Day – July 2023 (SAP) Return of the ICMAD Critical Vulnerabilities in 2023 (Onapsis) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Chinese threat actor hits U.S. organizations with a Microsoft cloud exploit.
Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures.
A rom-com update.
Beamer fish bait, email extortion attacks, and digital blackmail.
A new report concludes companies allowing personal employee devices on their network are opening themselves to attack.
Tim Starks from the Washington Post looks at Microsoft's recent woes. Companies allowing personal employee devices on their network are opening themselves to attack.
Tim Starks from The Washington Post looks at Microsoft's recent woes.
Our guest is Ayal Benishti from Ironscales with insights on business email compromise.
And a July Patchth, 2023.
Cyber espionage from both China and Russia leads today's news. Late yesterday, Microsoft described activity by the Chinese government threat actor Itrax as Storm 0558.
as Storm 0558.
The group gained access to email accounts affecting approximately 25 organizations,
including government agencies as well as related consumer accounts of individuals likely associated with these organizations, Microsoft explained.
They say they noticed anomalous mail activity on June 16th.
Investigations subsequently determined that this was part
of a cyber espionage campaign that began on or around May 15th of this year. Microsoft said
they did this by using forged authentication tokens to access user email using an acquired
Microsoft account consumer signing key. Since discovering the activity, Microsoft has completed mitigating
its effects for all the customers involved. According to the Wall Street Journal, the U.S.
government is investigating the scope of the Chinese operation and assessing what damage it
might have caused. Microsoft has also dealt with other Chinese exploitation of its products.
Cisco Talos researchers discovered
that threat actors took advantage of a policy loophole in Windows cross-signed kernel drivers
that allowed forgery of timestamps and loading of unverified malicious drivers to expired
certificates. The advisory notes, Chinese nationals. The advisory explains that attackers can exploit the loophole to cross the
user-kernel barrier, which is crucial for maintaining the integrity and security of the OS.
Talos has alerted Microsoft, which has since disabled all forged certificates that could
have passed through this loophole. Redmond has been looking at Russian cyber espionage as well. Microsoft
yesterday published an alert on activity by Storm 0978, also tracked as Dev 0978 and commonly called
RomCom, after the name given the back door it commonly employs. Microsoft states,
We identified a phishing campaign conducted by
the threat actor tracked as Storm 0978 targeting defense and government entities in Europe and
North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code
execution vulnerability exploited before disclosure to Microsoft via Word documents
using lures related to the Ukrainian World Congress.
As Bleeping Computer observes,
CVE-2023-36884 hasn't been fully patched,
but mitigations are available.
RomCom represents a mixture of symbiotic motives.
It's a ransomware and extortion operation in pursuit of direct profit, but it also conducts cyber espionage, specializing in credential theft.
The group is based in Russia and acts in Russia's interests.
We note in full disclosure that Microsoft is a CyberWire partner.
disclosure that Microsoft is a CyberWire partner. Russian intelligence services prospecting diplomatic targets in Ukraine used an ad for a nicely loaded, deeply discounted, used BMW as
fish bait to attract their prospects' eyes and clicks. Palo Alto Network's Unit 42 says the campaign, directed against 22 of the 80 embassies in Kiev, was run
by APT-29, Kozyber, that is, Russia's SVR, Foreign Intelligence Service. The fishhooks were LNK files
masquerading as images. The campaign's goal was espionage, collection against the embassies and
their contacts. The car itself was real,
as was the innocent original version of the Flyer. The black BMW 5 Series sedan belongs to a Polish
diplomat assigned to Kiev, and he was indeed interested in selling it. Suspicions were aroused
when he got calls inquiring about the price, which at 7,500 euros was lower than the one he'd posted.
Cozy Bear evidently reasoned that a lower price would attract more clicks.
Reuters reports that the diplomat still has the car.
He'll try to sell it when he gets back to Poland,
stating, after this situation, I don't want to have any more problems.
The fish bait represents a departure from that
used in earlier campaigns. Those lured had tended to be more obviously diplomatic,
invitations to embassy events, notes on humanitarian aid, and so on. Unit 42 concludes
with a warning, as the above campaigns show, diplomats should appreciate that APTs continually
modify their approaches, including through spear phishing, to enhance their effectiveness.
They will seize every opportunity to entice victims into compromise. Ukraine and its allies
need to remain extra vigilant to the threat of cyber espionage to ensure the security and
confidentiality of their information.
And if you're in the market for a 2011 Beamer, buyer beware.
Barracuda released a threat spotlight on extortion attacks this morning,
but these are not the large-scale ransomware extortions most seen in recent headlines.
These attacks instead amount to digital blackmail.
The attacker threatens to expose a compromising picture or information about an individual
unless the victim pays money. Attackers often purchase victims' login credentials or find them
through data breaches to prove that their threat is legitimate. Almost all of the attacks ask for less than $2,000,
which seems like chicken feed by cybercriminal standards.
But Barracuda analyzed over 300,000 emails that made demands at this level.
Research showed that a small number of attackers were responsible for most of the emails in the study sample,
with the top 10 Bitcoin addresses appearing in about 30% of the emails
and the top 100 addresses appearing in about 80% of the emails.
Barracuda remains optimistic about this threat,
if only because the small number of criminals responsible
means that each is a high payoff target for law enforcement.
Barracuda says,
First, we suspect that if law enforcement is able to track down
even a small number of these attackers,
they can significantly disrupt this threat.
Second, since extortion attackers seem to be copying each other
and following very similar templates,
email security vendors should be able to block
a large percentage of these attacks with relatively simple detectors.
To the authorities everywhere, good hunting for the creeps behind these scams.
SpyCloud released its Malware Readiness and Defense Report today,
which was conducted with a survey of almost 320 mid-market and enterprise IT security professionals from the US and the UK
to assess how organizations are detecting and addressing the threat of malware as a precursor
to cyber attacks like account takeover and ransomware. One of the main problems discovered
was the lack of regulation by the businesses for employees mixing unauthorized applications and work credentials in their personal and work devices.
SpyCloud wrote in their press release,
57% of organizations allow employees to sync browser data between personal and corporate devices,
enabling threat actors to siphon employee credentials and other user authentication data through infected personal devices while remaining
undetected. SpyCloud also explained that organizations are struggling with shadow IT
due to employees using unsanctioned applications and employees being allowed to use their personal
and work devices interchangeably. Finally, yesterday, of course, was Patch Tuesday. Microsoft issued security fixes
for 132 flaws, six of which were being actively exploited in the wild, bleeping computer reports.
One of the disclosed vulnerabilities, CVE-2023-36884, which hasn't yet been patched,
is a remote code execution flaw affecting Microsoft Office.
Microsoft says this flaw has been exploited by the Russian cybercriminal group Storm0978
to conduct cyber espionage against defense and government entities in Europe and North America.
Fortinet has patched a stack-based overflow vulnerability in FortiOS and Fortiproxy
that may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies
or firewall policies with proxy mode alongside SSL deep packet inspection.
SAP has issued fixes for numerous vulnerabilities, including one affecting SAP business client that was assigned a CVSS score of 10.0.
Adobe has patched 12 security flaws in Adobe InDesign, including a deserialization of untrusted data vulnerability that could lead to arbitrary code execution.
arbitrary code execution, and Apple has rolled back its rapid security response updates for iOS and macOS after the patch caused issues that prevented some websites from displaying properly.
The company stated yesterday, rapid security responses iOS 16.5.1b, iPadOS 16.5.1b,
iPadOS 16.5.1b and macOS 13.4.1b will be available soon to address the issue.
As always, review your systems and, as CISA would say,
apply updates per vendor instructions.
And admins, we wish you a happy and resolute round of patching.
round of patching.
Coming up after the break,
Tim Starks from the Washington Post looks at Microsoft's recent woes.
Our guest is Ayal Benishti
from Ironscales
with insights on business email compromise.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Eyal Benishti is CEO of email security platform Iron Scales.
They recently published their first threat index report,
and one of the topics covered is business email compromise.
I asked Eyal Benishti for the details.
So I think the increase in B.C. was very interesting, as a matter of fact.
And, you know, it's something that I tend to kind of mention when speaking with CISOs and other professionals.
What we see is that for the first time, B.C. basically eclipsed ransomware and becoming even a bigger problem than it used to be.
And what sort of options are available to folks to put in place to better protect themselves from business email compromise?
So to protect against business email compromise,
companies need something that is more behavioral in nature in order to understand.
And again, in most cases, we see our emails to appeals to come,
emails to appeal to come from someone or something
that you already know.
So it will come from a colleague,
whether someone you're working with or, you know,
someone, some of the vendors that you're working with
or some type of service that is familiar to you.
And in order to be able to protect people from impersonation attempts,
a solution must be able to understand the user, the user behavior,
the social graph, what is considered trusted by every specific user
and then look for anomalies and all the known patterns.
Like I mentioned, like impersonation and specific language
that is being used in order to stop this CMS.
Because in most cases, there is no real indication of compromise.
Like I mentioned, there will be no bad IP behind this mail.
And in most cases, there will be no link or attachment.
It will just come from someone or something that he allegedly know asking to do something
that he's not supposed to do.
So be able to kind of run more advanced models at the mailbox level,
able to understand behavior and anomaly is a critical part in stopping VSC.
The other element is obviously phishing, like awareness.
Make sure that your users are aware that impersonation might happen,
that emails that lands in their mailboxes, despite the fact that they went through some layer of defense,
can still be malicious by intent and sometimes even by content.
So educating people, delivering awareness content,
phishing simulation and training, which is a more proactive way
to train users, is highly recommended.
training, which is a more proactive way to train users, is highly recommended.
And basically build a culture of people that know that they are part of the solution and they're expected to report on things that seems a little bit fishy in their environment.
Because when people are reporting on something that looks suspicious, then we have a chance
and we can do something about it,
especially if the organization is equipped with an automated solution
that can streamline anything from investigating things that people find suspicious
to the point that we can even go and claw it back from all the affected mailboxes.
And when you have this type of culture and when you have this type of solutions
that can help automate and remediate things that are slipping through protection layers,
then you can have a much, much better multi-layer type of defense against B.C. and malicious emails.
One of the things that caught my eye in the report was how many of the threats
are what you describe as unknown. These are novel threats, things that haven't been seen before.
I mean, how do folks defend against that? If something is new, is this again looking for
behavioral defenses here? You know, we can detect against known threats by having a good threat intel and
protection-based solution that can stop what is known to be bad. We can have AI and anomaly
detection against the things that are not necessarily known to be bad, but are bad by
content. So coming with some bad intent and attempting to impersonate something that we
know, like we mentioned, they follow a specific pattern. We call them the known unknowns.
And in order to detect the unknown unknowns,
people, organizations really need to kind of adopt a real-time
threat intelligence gathering, which in our view can only
be achieved by, at the end of the day, crowdsourced this whole effort
of detecting what is slipping through threat intelligence and AI models.
And again, it's back to the user that we spoke about.
How do you train your users to report these kinds of emails?
How do you equip security team with automated tools that help them to quickly investigate
or automatically investigating and remediating these type of emails?
And then how do you take it even one level up
and provide organization with a tool that actually allows them to collaborate
with each other in real time and help them be aware to the fact that
they're not the first one to deal with this type of email
or incidents,
and other companies have already made a decision or passed a verdict about a similar type of email,
and they probably want to do the same.
So at the end of the day, in order to be able to detect the unknown unknowns or the zero days in our world,
organizations really need to adopt a continuous AI approach.
How do you build or how do you adopt an AI solution that can continuously learn
about new threats all the time in real time?
Because when we talk about machine learning and AI, they're just as good
as the data that we feed into them.
So if I feed a model with yesterday's data,
no matter how great the model is,
its ability to predict something that it never seen before is close to zero.
On the other hand, if I have online models
that are constantly learning,
and not just learning based on raw data and metadata,
but they're learning from human beings,
kind of interacting with them and pushing new type of intelligence in real time.
Then we have a more continuous type of AI approach that can constantly learn
and close the feedback loop and be able to detect new trends,
sometimes even in seconds, and stay as close as possible to what is trending out there.
There are millions, millions of new phishing emails that are being created on a daily basis.
We're expecting these numbers to grow significantly, again, with all the chat GPT and AI, generative AI that we're seeing out there.
So there will be a lot of unknown unknowns out there.
And our only way to detect them
is to be able to quickly feed our models
with relevant, up-to-date data.
That's Eyal Benishti, CEO of Ironscales. it is always my pleasure to welcome back to the show tim starks he is the author of the
cyber security 202 at the washington post tim great to have you back. Yes, great to be back. As we are recording
here today, there are a couple of developments related to Microsoft that you've been covering
and some of your colleagues at the Post have been covering as well. What's going on here, Tim?
So I think the bigger development, not that the other one is small, is from a story that my colleagues Alan Nakashima, Joseph Mann, and Shane Harris wrote up today.
That is quite the all-star lineup.
Shane Harris is one of the guys I followed his early reporting on cyber and was like, that's great.
I'd love to do what he does.
Alan Nakashima is my favorite reporter, and Joseph Mann is just one of the really great cyber reporters out there, too.
So they broke a story about how Chinese hackers have used this vulnerability in Microsoft's cloud that has allowed them to target U.S. government email accounts.
Microsoft itself says that there are only 25 organizations that this has affected, but it does include government agencies.
The FBI is looking into it.
It doesn't look like Pentagon intelligence or military email accounts are affected.
So we're still learning about this one.
It's the latest in a line of Microsoft issues where the U.S. government has been affected.
line of Microsoft issues where the U.S. government has been affected. SolarWinds was one of the biggest ones, obviously, because that was part of that Microsoft vulnerability. So this is another
problem with Microsoft coming up and being a part of an espionage campaign. This is apparently,
again, from China. I saw some interesting commentary. Folks were saying that Microsoft did sort of the equivalent
of a Friday afternoon news dump on a Tuesday afternoon
by sort of a quiet blog post about this.
And I suppose they were obligated to reveal this
because the government was involved?
I think so.
I mean, certainly they would have been aware
that some potential news stories were about to come out about it.
So first, if they knew we were writing about it, they would have been obligated.
And our story came out at, I think, 1 a.m.
So it's not terribly surprising that they did it when they did.
Perhaps they could have done it earlier, but at a certain point they had to have done it.
Yeah. And what's the story that you covered in the 202,
also Microsoft-related?
Yeah, so this was something that Microsoft had talked about
earlier in the day,
where there's a Russian group called RomCom.
I like that name a lot, by the way.
Romantic comedies are a great organization to imitate.
Anyway, this is a campaign where Windows was again exploited.
The unpatched bug in Windows and Office products.
They are working to address that flaw.
And this campaign is going after, apparently, NATO targets.
So there's the summit in Lithuania that's happening.
And BlackBerry had some research on this that they came out with.
And they apparently are impersonating
a Ukrainian organization.
That's obviously ongoing Russia-Ukraine cyber hostilities
that are all taking center stage in the NATO summit now.
But also there's this sort of side campaign
of issues that are coming up in
cyberspace related to NATO. Yeah. To what degree is Microsoft sort of taking it on the chin for
these vulnerabilities? Or is this something that could happen to anybody? Or are they getting
more than their share of criticism here? It is certainly something that can happen to anybody,
but there are two things that are of note here.
One, Microsoft is so massive.
They're such a part of everybody's daily email.
They're such a part of all those office products
that they're going to be a juicy target
that anybody who's a hacker is going to want to go after.
But they do have a history of not maybe doing as good
a job of taking care of these things as people think they ought to.
You can talk about Apple's security compared to Microsoft. That's always been a
point of comparison. Apple seems to do a better job overall. But they're
also just not quite as widespread. So I think it's a mix of both, that they're just omnipresent
in a way that nobody else is, and also that not quite as widespread. So I think it's a mix of both, that they're just omnipresent in a way that nobody else is,
and also that there is a track record here
that suggests that they could be doing better than they are.
Yeah, it's complicated, right?
Yeah.
I mean, not to give Microsoft a free pass,
but it's certainly interesting to analyze these things.
As you say, they are a big, juicy target,
but at the same time,
they've got a responsibility to look after these things.
Yeah, they have such a unique position
in the ecosystem,
if you'll allow me to use a sort of stupid,
jargony term.
They also make a lot of money off of security um doing security
and and i you know i read an article a couple years back about how they are i think the best
quote in the story was microsoft is both part of the problem and part of the solution right and if
you look at how much work they do on security and how many things they reveal about what's going on
in cyberspace not just about what's going on with their own company but also what's going on with threat actors they've made some pretty big revelations about what's going on in cyberspace, not just about what's going on with their own company, but also what's going on with threat actors.
They've made some pretty big revelations
about what's happening in the cybersecurity world
and the hacking world.
I think the comparison I had at the time
was that they have powers that are, in some ways,
superior to the federal governments
or certain federal government agencies anyway.
They don't have the ability to punish hackers,
but they have research capabilities
and they have access to resources that are unparalleled in certain ways.
Yeah.
I remember, this is years ago,
when Microsoft was on a bit of a tear
of buying up some antivirus companies.
That's another one, yeah.
Right, and there was some raised eyebrows
of the joke was
that they're the problem
and the solution.
They're buying companies that take care
of some of the vulnerabilities that were inherent
in Windows at the time.
That's a good business model, right?
Have some vulnerabilities in your system,
buy the companies that solve the vulnerabilities,
repeat, rinse.
It's practically an old chestnut and I think perhaps at this point have some vulnerabilities in your system, buy the companies that solve the vulnerabilities, repeat, rinse, you know. Yeah, yeah.
I mean, it's practically an old chestnut.
And I think perhaps at this point,
not entirely fair,
but it certainly was a criticism at the time.
Yeah, I mean, the scenario I mentioned,
the scenario I mentioned is obviously not what's happening,
but it certainly comes to mind.
Yeah, absolutely.
All right.
Well, Tim Starks is the author
of the Cybersecurity 202 at the Washington Post. Tim, always a pleasure to have you join us. Yes, absolutely. All right. Well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post.
Tim, always a pleasure to have you join us.
Yes, always.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. Thank you. email us at cyberwire at n2k.com. Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.