CyberWire Daily - Cyberespionage by several intelligence services, some of contracted out. Developments in the cyber underworld. Vulnerabilities reported in CPUs. Some notes on Patch Tuesday.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Reports of a wide-ranging cyber espionage campaign by China's Ministry of State Security. Evil proxy phishing tool targets executives and defeats multi-factor authentication. Vulnerabilities in CPUs. Yashma ransomware targets a wide range of countries.

Starting point is 00:02:18 Mac OS threat trends. Is there a Russian attempt to disrupt British elections? Rob Boyce from Accenture checks in from the Black Hat conference. Maria Vermasis speaks with the Black Hat Aerospace Village's Kalin Tricon and Steve Luzinski. Ukraine claims to have stopped a Russian spyware campaign. And Patch Tuesday has come and gone, but the vulnerabilities remain. Unless, of course, you've applied the patches. I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, August 9th, 2023. Recorded Futures' Insicht Group has published a report on Red Hotel, a threat actor answering to China's Ministry of State Security

Starting point is 00:03:22 that's prospecting targets primarily in Southeast Asia, but in other regions as well. Microsoft tracks Red Hotel as charcoal typhoon. SecureWorks calls it Bronze University. The operation appears to be run for the Ministry of State Security by contractors. Recorded Future thinks Red Hotel's activity is marked by unusual scope and intensity.

Starting point is 00:03:47 They write, since at least 2019, Red Hotel has exemplified a relentless scope and scale of wider PRC state-sponsored cyber espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally. The group often utilizes a mix of offensive security tools, shared capabilities, and bespoke tooling. The shared commodity tools include Shadowpad and Winty. The bespoke malware includes Spider and FunnySwitch. There's always an offense-defense seesaw. One rises, the other sinks, and then the process repeats itself.

Starting point is 00:04:28 That's happening now in a spear phishing campaign Proofpoint describes in a report. Over the past six months, the company's researchers have been watching a surge in cloud account takeovers. The threat actors involved have been using a reverse proxy tool, Evil Proxy, in spear phishing campaigns that compromise multi-factor protected credentials and session cookies. It's an adversary in the middle campaign specializing in advanced account takeover methods. That's the seesaw. Using reverse proxy tools is a foreseeable criminal response to the growing adoption of multi-factor authentication security measures.

Starting point is 00:05:07 Multi-factor authentication remains an important security tool, but as with any other technology, it isn't foolproof and doesn't amount to a panacea. There are two reports out this week on vulnerabilities in CPUs. The first affects Intel products. in CPUs. The first affects Intel products. Several generations of Intel's x86 processors are vulnerable to a data leak flaw called Downfall, CyberScoop reports. Daniel Mohimi, a computer security expert at the University of California, San Diego, and Google found that an attacker running one application could exploit the flaw to steal passwords, encryption keys, and other sensitive data from another application. Mahomi told CyberScoop,

Starting point is 00:05:52 When you have a vulnerability like this, essentially this software-hardware contract is broken. The software can access physical memory inside the hardware that was supposed to be abstracted away from the user program. It violates a lot of assumptions we make in general about operating system security. Intel poured oil on troubled waters, saying in a statement that the attack researchers describe would be very complex to pull off outside of the controlled conditions of a research environment. off outside of the controlled conditions of a research environment. AMD processors also exhibit a vulnerability of their own. Bleeping Computer reports that all AMD Zen CPUs are vulnerable to a hardware flaw that can leak privileged secrets and data using unprivileged processes. Researchers at ETH Zurich discovered the flaw and created an exploit called Inception that creates an infinite transient loop in hardware to train the return stack buffer with an attacker-controlled target in all existing AMD Zen microarchitectures.

Starting point is 00:07:09 So Talos warns that a new threat actor is using the Yashma ransomware against targets in English-speaking countries and also in Bulgaria, China, and Vietnam. The researchers say Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization's name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC plus 7, which overlaps with Vietnam's time zone. It seems the crooks clock in and out just like the rest of us. Talos also notes that the threat actor's ransom note mimics the one used by WannaCry. And why not? If you're engaged in extortion, what's a little plagiarism among friends? Bitdefender has released its macOS threat landscape report, revealing that Trojans pose the primary threat to Macs, constituting over 50% of identified threats.

Starting point is 00:08:03 The study highlights that EvilQuest retains its status as the most prevalent malware targeting Mac systems, commanding a substantial 52.7% share. This malware strain encompasses a ransomware module designed to encrypt and exfiltrate victim files, accompanied by a keylogger for harvesting keystrokes and siphoning personal and financial information. Although the majority of antivirus providers are equipped to detect and thwart EvilQuest, its persistent prevalence suggests that attackers continue to deploy it in a scattergun manner, aiming to ensnare vulnerable victims in their wide-reaching dragnet. The Telegraph reports that the ransomware attack

Starting point is 00:08:46 and attendant data breach at the UK's Electoral Commission may have been directed by Russian intelligence services. It may have been intended to disrupt British elections. While the incident was detected in October of 2022, the Electoral Commission only yesterday issued a public notification of the attack. Considerable personally identifiable information was exposed, as is so often the case with Russian operations. It will be difficult to distinguish conventional cybercrime from cyber espionage and state-directed influence operations. Reuters reports that the Security Service of Ukraine, the SBU, also known by its translated acronym SSU, said yesterday that a Russian attempt to compromise the Ukrainian Armed Forces Combat Information System had been detected and thwarted.

Starting point is 00:09:39 According to the record, the SBU identified the threat actor responsible as the GRU's Sandworm. The Ukrainian security agency says it stopped the Russian military operation in its planning phases. Sandworm's goal is thought to have been the compromise by spyware of Android devices used in Ukrainian tactical networks. But the SBU didn't reveal the specific systems the GRU had targeted. Ukrainska Pravda cites SBU sources as saying, Sandworm was trying to work from Ukrainian tablets captured on the battlefield. Their intention was to use those devices to access Ukrainian networks and use that access to spread about a dozen spyware programs. and use that access to spread about a dozen spyware programs.

Starting point is 00:10:28 And finally, August's Patch Tuesday arrived yesterday. It saw upgrades to some widely used products from several vendors. Adobe released patches for 30 vulnerabilities affecting Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020, Security Week reports. Microsoft patched 33 products. The company also released a defense-in-depth update to block the attack chain for an actively exploited Windows Search remote code execution vulnerability. And Fortinet has issued a security update addressing a buffer overflow vulnerability affecting 40 OS. The flaw may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were

Starting point is 00:11:14 able to evade 40 OS stack protections. As CISA likes to say, apply upgrades per vendor instructions. Coming up after the break, Rob Boyce from Accenture checks in from the Black Hat Conference. Maria Vermatsis speaks with the Black Hat Aerospace Village's Kalen Tricon and Steve Luzinski. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this.

Starting point is 00:12:10 More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash

Starting point is 00:12:49 cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Maria Varmatsis is host of the T-Minus podcast focusing on all things space. She recently spoke with the Black Hat Aerospace Villages, Kaylin Tricon, Director of Communications,

Starting point is 00:14:00 and Steve Luzinski, Board Chair, about the Aerospace Village non-profit, their mission, and their programs. Here's Maria Varmasis. Kaylin, Steve, there's a lot going on at the Aerospace Village at DEF CON this year. If you could start us somewhere and walk me through it, that'd be awesome. One of the things that I am just super proud of and excited for is the wide range of talks that we have in the village this year. When we started this five years ago, we were the aviation village. Now we are the aerospace village and we are really seeing that come into itself. We have tons of talks for space,

Starting point is 00:14:39 satellites, aviation. We also have one that has to do with weather and weather satellites. And weather balloons. And weather balloons. That's super cool. I think that what this shows us is that we really are bridging the gap and reaching the different communities that we are trying to reach by seeing the diversity in these talks. A few that I'm super excited for, and I think that our listeners will be excited to mark their calendars for is one talk called Winging It, Pentesting 737. I'm a bit fearful of that,

Starting point is 00:15:14 but I think it's going to be a really engaging talk. That feels like very DEF CON to talk about something terrifying and cool at the same time. Exactly. And I think, you know, one of the things that we always say, and we really do promote it through. And I think, you know, one of the things that we always say, and we really do promote it through our messaging, is that, you know, we don't want people to cause hysteria and think planes are falling out of the sky. We want to actually show the real world security challenges that this ecosystem faces. To pile on to what Kaylin said, you know, that government side, the growth we've seen over these five years. We've got a person from TSA coming in to talk about the screening systems and the cybersecurity

Starting point is 00:15:52 involved with that. We've got two nice ladies from the Office of the National Cyber Director, and they're coming in to talk about things from National Cybersecurity Strategy and the Workforce Strategy that's recently published, but they also do work with the National Space Council. So their perspective from that high level government side of things, all the way down to the deep technical and things like what Kaylin's mentioned on both space and aviation. I'm excited I get to do a talk with the TSA administrator, hearing his perspective on both space and aviation and space related cybersecurity concerns, the industrial control systems at airports, spaceports, all of

Starting point is 00:16:34 that. So in addition to the talks, we have activities that are very deeply technical and very complex on the run side of things. And we've also got activities that are very simple and straightforward in like a crawl, walk, run mentality. So Capture the Flag events being hosted by Boeing, by Lockheed Martin. The Aviation ISAC has brought in students from Embry-Riddle. We've got students in our talk track. We've got students running these Capture the Flags. We have other smaller companies like CT Cube, Intelligenesis, showing some of their training systems, some of the industrial control systems as it relates to runway lighting and the security behind those and how they demonstrate that.

Starting point is 00:17:17 SpaceX is going to have one of their ground stations there. It sounds like they're going to have a spacesuit and an engine. So it's just good to have some cool things to look at. We'll have an Airbus cockpit. One of our, again, another partner of ours, Pentest Partners, they have built an Airbus cockpit and they use that to demonstrate. I'm sorry, a cockpit. Yes, and yes, it will be there for fun, the fun of flying it also.

Starting point is 00:17:41 But demonstrating the electronic flight bag. Exactly. And they're going to have actual aircraft seats. So we're going to have, you can, your experience of flying out there, being uncomfortable and flying home, you can do that in our village. So we have all of that. And one other event I've been working on this lately is an Ask Me Anything. Yeah, yeah. Tell me about that. We've got all these experts right we've got experts that are volunteers that are volunteers are pilots former pilots military commercial all the way to people who've done policy and government policy and industry the security

Starting point is 00:18:16 researchers who are they've been doing it their entire career and then we have all these partners and experts that are coming in either speaking or the activities that we talked about. And so folks want to learn from them where you can sit down and say, hey, I want to learn about getting into cybersecurity. I want to learn about getting into cybersecurity in aviation or space sector. And you can hear from folks. They want to talk about where they work. If you want to know about it, great. But the idea is experienced people who come from a government, an industry, an academic, a security researcher background.

Starting point is 00:18:56 You can ask them any questions that you want. You can hear more about what they did, how they got in, the goods, the bads, all of those things. And that brings us to what I'm going to call the satellite in the room here, which is we haven't talked about it in depth yet, but this year, Hackasat finals are going to happen at DEF CON on a satellite that is in space, Moonlighter. So cool.

Starting point is 00:19:19 It is orbiting in space. It is so cool. I'm such a nerd. I'm so excited to bring Hackasat in this competition. I'm working with the Air Force and the Space Force to actually do this and have it be live in space with these finalist teams. I think it's just going to be something that is incredible. It's such a testament to all of the work that the community, that the village has done. it's such a testament to all of the work that the community that the village has done well and the beauty is hackasack covers both the activity side like what kaylin mentioned

Starting point is 00:19:50 so uh so both on the speaking side and come see it live in action side we're going to have a cube sat the cube sat known as the project moonlighter that kaylin mentioned is a CubeSat launched in June, deployed off the ISS in July. That's what's orbiting. That's what they're hacking on for this capture the flag. But we have one because Cal Poly is bringing one in. And you can talk to folks about how it works and what it does. DEF CON is such an amazing, overwhelming event, especially for someone who might be new. So I'm just going to close with

Starting point is 00:20:25 like a newbie question. If someone's going to DEF CON for the first time and they want to go to the village, your village, what would you recommend they start with first? I know it depends on what they're interested in, but let's just go with that. I would say it wasn't too, too long ago that I was a newbie DEF CONer. And I would say, you know, if you're entering the Aerospace Village, look for someone in a blue Aerospace Village t-shirt and just go up to them and ask them, you know, share what your interests are.

Starting point is 00:20:56 And we will help make sure that you have the best first experience that you can have. You know, we have so many incredible volunteers with such incredible backgrounds. And we want, you know, we want people to have a great experience and to take something away and to learn something they didn't know when they entered the village. So look for somebody in an aerospace village t-shirt. That is my advice. And, and I think what you led off with Maria is having tried to do everything at DEF CON because there's so many

Starting point is 00:21:25 villages, so many activities, so many talks. You got to stand in line or you're going to miss out on the talk. Just pick something. Maybe it's our village for the entire day. We would love to have you, just like Kaylin said, talk to somebody in a blue shirt or one of the nice neon vests that we're bringing this year so you know who the volunteers are and they can point you in the right direction. But really that focus so you can actually enjoy DEF CON as opposed to just get totally whooped trying to do everything because we're only one small portion of DEF CON, right? So yeah, just being able to make your way around and calmly enjoy and spend time in each place is the recommendation I'd offer. Some earned wisdom there, indeed.

Starting point is 00:22:09 I don't follow it myself, but I offer it. And I try to do it, but I fail. It's a lot. It's a big event. Kaylin and Steve, I wish you all the best at DEF CON this year. And a quick reminder to check out the T-Minus podcast right here on the Cyber Wire network. And it is always my pleasure to welcome back to the show Rob Boyce. He is Managing Director and Global Lead for Cyber Resilience at Accenture.

Starting point is 00:22:51 Rob, welcome back. And you are today our man on the ground at the Black Hat Conference in Las Vegas. How are you doing out there so far? Surviving the heat, Dave. Yes, indeed. Very hot. But yeah, thank you, first of all, for having me. It's always a pleasure to talk with you. Yeah. Well, things are really kicking off, getting into gear today at Blackhead. I know there's a big keynote scheduled later in the day

Starting point is 00:23:18 with Jen Easterly from Syssa. What do you have on your schedule? How do you approach a show like this in terms of managing your time? Yeah, it's actually a really interesting question because as you can imagine, it's a lot to take in in just a couple of days. So I typically come with the agenda that I want to investigate. And I think this year, data and AI being a huge topic of interest from all of the organizations we talk to. And I feel like almost every security company now is an AI company. So just digging into that a little bit more on the agenda. And then the other thing that I'm finding super interesting, as you've already mentioned,

Starting point is 00:23:58 Jen Easterly will be doing a keynote and Kemba will be, the acting director of OCD will be doing a keynote. So I think it's going to be super interesting. But the presence of the of the government is is incredible this year. I think we I think we've seen many people already, you know, just just trying to understand like how this collaboration with the government and this community is going to work. And it's clear that the government's doing an amazing job with outreach this year. Not only are they having the keynotes, but they have invested in having the booths, they're recruiting heavily. We had a chance to talk to someone from CISA yesterday and ask them very specifically, you know, how is the reception of the community been on your presence this year? And he said it's been very

Starting point is 00:24:43 positive so far. You know, There's always that small group that is a little bit more skeptical of government collaboration. Spot the Fed. Exactly. That's a game that we miss here because now everyone's a Fed at this point. But I think it's, he said, it's been very, very welcoming. And, you know, if we really do want to have a private sector, public sector collaboration, these are the efforts the government needs to put forward to try and reach out to the community and and get the support for the mission. And I think they've been doing a pretty good job on that.

Starting point is 00:25:16 So, you know, that's that's been interesting as well. And the last thing I'll say on my agenda as I'm thinking through the show is, of course, workforce resiliency and the talent shortage and how we're addressing that. This is a huge recruiting opportunity for very, very top talent. Clearly, as I said, the government's there. We are here actively recruiting as well. And it's just interesting to just have this talent in one place and just be able to share ideas. And so it's been super interesting. So those are like, so again, to answer your question, Dave, like when I'm thinking about how to manage my time, I come here with my agenda. Those were the three things I really wanted to dig into this year. And it's been interesting so far,

Starting point is 00:25:58 even though it's really day one. Do you have any sense for where people stand in terms of their spirits? You know, we've been through a number of organizations have been through some layoffs. So there's a little more uncertainty in the cyber world than perhaps we've ever seen before. Yeah, I would say I think events like this have an opportunity to uplift people's spirits, honestly. I think, again, this community is so close that any opportunity we have to get together, share ideas, even, you know, just share ideas even at the bar. It's just it's been a really I think these are the opportunities we have to uplift the spirits of people. So I think it's been great. And it is interesting.

Starting point is 00:26:35 Like you made a very good point where we have been seeing layoffs and uncertainty, but we at the same time, we're seeing such a huge demand still for skilled people in this industry. And it's almost like these two realities are at a bit of odds. And so again, this thing, being able to be here and present with the community has been, you know, it's been really great. And I think the spirits in general have been pretty good. What's your advice for that black hat first timer who's feeling a little overwhelmed at everything to take in this week? Don't connect to the hotel Wi-Fi.

Starting point is 00:27:09 Fair enough. Honestly, it is overwhelming. And now that we're seeing more of these focused villages pop up, two of the things that I'm really excited to see are the AI hacking competition, the space hacking competition. And so you really do need to come with, where do you want to focus your time? Because there's just so many things to take in. It's, it's very hard. So, you know, I guess my advice would be, you know, think through what it is you, you want to get out of being here, uh, and then, you know,

Starting point is 00:27:40 make a point to do it. Cause it's very easy to get distracted very, very quickly while being here. That is for sure. Yeah. All right. Well, Rob Boyce is Managing Director and Global Lead for Cyber Resilience at Accenture. Rob, thanks for joining us and good luck with the week ahead. Thank you, Dave. It was a pleasure being here. Cyber threats are evolving every second,

Starting point is 00:28:18 and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.

Starting point is 00:29:11 You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. Thank you. law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Cyberespionage by several intelligence services, some of contracted out. Developments in the cyber underworld. Vulnerabilities reported in CPUs. Some notes on Patch Tuesday.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.