CyberWire Daily - Cyberespionage, extortion, and DDoS as instruments of state policy. Ransomware continues to trouble a wide range of targets across many sectors.
Episode Date: July 5, 2023Chinese cyberespionage campaign against European governments. The Port of Nagoya closes over ransomware attack. BlackCat and SEO poisoning. LockBit seeks to extort a semiconductor manufacturer. Profes...sionals in the cyber underworld. CISA issued a DDoS alert for US companies and government agencies. Microsoft debunks claims of data theft by Anonymous Sudan. Matt O'Neill from the US Secret Service speaks with Dave Bittner about sextortion. Rick Howard sits down with Michael Fuller of AWS to talk about the kill chain. And Avast releases a free decryptor for Akira. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/126 Selected reading. Chinese Threat Actors Targeting Europe in SmugX Campaign - Check Point Research (Check Point Research) Hackers target European government entities in SmugX campaign (BleepingComputer) Chinese hackers target European embassies with HTML smuggling technique (Record) Japan’s largest port stops operations after ransomware attack (BleepingComputer) BlackCat ransomware pushes Cobalt Strike via WinSCP search ads (BleepingComputer) BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising (The Hacker News) TSMC Says Supplier Hacked After Ransomware Group Claims Attack on Chip Giant (SecurityWeek) TSMC confirms data breach after LockBit cyberattack on third-party supplier (TechCrunch) Taiwan Semiconductor Denies LockBit's $70M Hack Claim (Bank Info Security) Semiconductor giant says IT supplier was attacked; LockBit makes related claims (Record) DoS and DDoS Attacks against Multiple Sectors (Cybersecurity and Infrastructure Security Agency CISA) CISA issues DDoS warning after attacks hit multiple US orgs (BleepingComputer) Microsoft denies data breach, theft of 30 million customer accounts (BleepingComputer) Microsoft Denies Major 30 Million Customer-Breach (Infosecurity Magazine) Decrypted: Akira Ransomware (Avast Threat Labs) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Chinese cyber espionage campaign against European governments.
The port of Nagoya closes over ransomware attack.
Black Cat and SEO poisoning.
LockBit seeks to extort a semiconductor manufacturer.
Professionals in the cyber underworld.
CISA issues a DDoS alert for U.S. companies and government agencies.
Microsoft debunks claims of data theft by anonymous Sudan.
Matt O'Neill from the U.S. Secret Service speaks with Dave Bittner about sextortion.
Rick Howard sits down with Michael Fuller of AWS
to talk about the kill chain.
And Avast releases a free decryptor for Akira.
I'm Trey Hester, filling in for Dave Bittner with your Cyber Wire Intel briefing for Wednesday, July 5th, 2023.
We are back after the Independence Day holiday, and here are a few stories we've been following.
Beijing's intelligence services are currently deploying PlugX to collect against a range of targets in Europe.
Checkpoint researchers describe a Chinese government cyber espionage campaign against European governments.
They call it SmugX and attribute it to Red Delta, with some involvement by Mustang Panda.
The campaign uses HTML smuggling to deploy a new variant of PlugX against its targets.
The group's interest seems to be in Eastern Europe, but the targeted governments,
which include Sweden, United Kingdom, France, Slovakia, Hungary, and Ukraine, are not confined to that region.
Ransomware continues to infest a wide range of organizations.
to that region. Ransomware continues to infest a wide range of organizations.
Bleeping Computer reports that just yesterday, the port of Nagoya, Japan's busiest ocean terminal,
sustained a ransomware attack against the Nagoya Port Unified Terminal System.
Nikkei Asia says the issue came to light when a port employee noticed anomalies in his system.
Investigations revealed the cause to be a ransomware infestation. The port Authority is working to restore service and expects to have done so by tomorrow morning.
In the meantime, most container operations at the port have been suspended.
No group has claimed responsibility for the attack, which remains under investigation.
Familiar criminal ransomware organizations continue to find victims too. The Black Cat ransomware gang is using malvertising to trick victims into installing malicious versions
of the WinSCP file transfer application,
bleeping computer reports.
According to researchers at Trend Micro,
quote,
the infestation starts once the user searches
for WinSCP download on the Bing search engine
and malicious ad for the WinSCP application
is displayed above the organic search results.
The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer.
From this first page, the user is then redirected to a clone download webpage for WinSCP.
Once the user selects a download button, an ISO is downloaded from an infected WordPress webpage.
download button, an ISO is downloaded from an infected WordPress webpage. The LockBit ransomware group has demanded $70 million in exchange for not leaking data allegedly stolen from Taiwanese
chip manufacturer TSMC. TSMC told the register that one of its third-party equipment suppliers,
Kinmax, was the source of the breach. Security Week quotes TSMC as stating,
quote,
the breach. Security Week quotes TSMC as stating, quote, At TSMC, every hardware component undergoes a series of extensive checks and adjustments, including security configurations, before being
installed into TSMC's system. Upon review, the incident has not affected TSMC's business
operations, nor did it compromise any of TSMC's customer information. After the incident, TSMC has immediately terminated its data exchange with a concerned supplier
in accordance with the company's security protocols and standard operating procedures.
TSMC remains committed to enhancing the security awareness among its suppliers
and making sure they comply with security standards.
The cybersecurity incident is currently under investigation that involves a law enforcement agency.
End quote.
Kinmax said in its own statement, quote,
The leaked content mainly consisted of system installation preparation that the company provided to our customers as default configurations.
We would like to express our sincere apologies to the affected customers as the leaked information contained their names, which may have caused some inconvenience.
End quote. Cybercriminal gangs are increasingly operating like professional businesses,
according to Melissa Bishoping, director of endpoint security research at Tanium.
In an article for InfoSecurity magazine, Bishoping stated, quote,
The ransomware-as-a-service approach is almost identical to today's modern businesses,
which seek to hire the best talent across different functions. Through public-facing data leak sites, telegram channels, or direct
recruitment of targets as insider threats, cybercriminals advertise job openings, promoting
pay, benefits, and other perks. In fact, the Lapsus Ransomware Group has been advertising
job openings since November 2021, targeting employees at large technological firms
such as AT&T and Verizon to lure employees to perform insider jobs in exchange for high pay,
up to $20,000 a week. The landscape for cybercriminal jobs is competitive,
with new ransomware groups and data leak sites popping up constantly. End quote.
CISA released an alert on June 30th regarding distributed denial-of-service attacks.
CISA is aware of open-source reporting of targeted denial-of-service and distributed denial-of-service attacks against multiple organizations in multiple sectors.
These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.
End quote.
Though the alert does not point fingers at any group,
it can be assumed that this is in response to the recent attacks against U.S. and NATO industries by Russian-aligned groups.
Bleeping Computer assessed that the warning represented a response to Anonymous Sudan's new wave of DDoS attacks against various government and private sector organizations.
Anonymous Sudan announced the attack on U.S. companies and government websites was in
retaliation for announcements U.S. Secretary of State Anthony Blinken made concerning sanctions
against certain parties in Sudan's ongoing civil war. Anonymous Sudan, generally regarded as a
Russian front organization, on July 1st claimed in its Telegram channels to have breached Microsoft servers and stolen data belonging to some 30 million customers. Quote, we announced that we
have successfully hacked Microsoft and have access to a large database containing more than 30 million
Microsoft accounts, including email and password. Price for the full database? $50,000. End quote.
Microsoft says the claim is baseless, stating, quote,
at this time, our analysis of the data shows that this is not a legitimate claim
in an aggregation of data, end quote. Just yesterday, Anonymous Sudan also announced
an ongoing attack on Riot Games, an American video game developer for League of Legends.
Anonymous Sudan has claimed that they have access to Riot's back end of League of Legends.
This campaign is a continuation of attacks against American companies
in response to the comments made by the Secretary of State concerning the civil war in Sudan.
Riot Games would appear to be merely a U.S.-based target of opportunity.
And finally, we close with a bit of encouraging news.
Avast researchers have developed a decryptor for the Akira ransomware,
active in the wild
since March of this year. It's available at no charge, with instructions for use on Avast's
decoded site.
Coming up after the break, Matt O'Neill from the U.S. Secret Service speaks with Dave Bittner
about sextortion. Rick Howard sits down with Michael Fuller of AWS to talk about the kill chain.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
In another episode of our continuing series of interviews that our CyberWire colleague Rick Howard gathered at the recent AWS Reinforce conference,
today, Rick speaks with Michael Fuller from AWS
about the kill chain.
The CyberWire is an Amazon Web Services media partner,
and in June 2023,
Jen Iben, the CyberWire's senior producer and I,
traveled to the magical world of Disneyland
in Anaheim, California,
to attend their AWS Reinforce conference
and talk with senior
leaders about the latest developments in securing the Amazon cloud.
I got to sit down with Michael Fuller.
He's the Director of Product Management, External Security Services at AWS, and he's responsible
for several AWS security products like GuardDuty and IDS of sorts, Macy, a data loss protection service, SecurityHub,
a security configuration dashboard for your Amazon deployment, Inspector, a vulnerability
management service, Detective, a SIEM, and SecurityLake, a data lake for your security logs.
And I asked him about one of my pet peeves in the InfoSec community, that both practitioners and vendors tend to focus on tactical, technical things, like preventing malware and exploits
and vulnerabilities, and not specifically on a strategy of defeating the 300 or so known attack
campaigns from the likes of Fancy Bear, Wizard Spider, and the like. I call that strategy the
Intrusion Kill Chain Prevention strategy. In our discussion,
you'll hear us talk about the conference main keynote speech delivered by CJ Moses, the AWS CISO.
Here's Michael. Yeah, I think one of the exciting things about where we sit is that we also,
you know, customers look to us as a peer. We're also one of the largest companies operating on AWS.
Yeah.
And we've been doing it for some time.
So we actually started this service team in AWS security.
We were one of the only service teams
that were actually within our internal security team
versus, you know, on the services side.
And we did that intentionally because, you know,
our internal security team and all of Amazon security was also a customer focus of ours as being one of the biggest customers on AWS.
And so that also helps us, you know, inform what we're building. And it also allows us to remain
grounded because, you know, internally they're, it's almost like a sibling. They're very blunt
on saying you're building something that may sound really good on paper,
but this doesn't really help us.
So they keep us grounded on,
are you really moving the ball forward in practice?
And I think that helps a lot with our customers as well
because they look to us on like,
how do you guys solve this in Amazon?
You guys are building on AWS,
you're using the same services we're using.
How did you solve this problem?
Zero Trust as an example.
And then we're able to share what we've done internally
and our journey along that. And then we're able to share what we've done internally and our journey along that.
And then what services we've developed and capabilities across AWS overall that we, that's
informed for them to be able to kind of replicate what's been successful for us.
So we look at, you know, other security vendors, they have intelligence teams and the way they
market themselves is they produce intelligence reports on some adversary out there.
And we have the minor attack framework that is an open source collection of bad guy activity.
But there's very little discussion about what goes on in cloud environments.
I mean, in the minor attack framework, there's a section on it, but it's pretty weak sauce, right?
And now we've been in the cloud now for over a decade.
I'm sure you guys are seeing adversaries
that are operating in the cloud,
but you just don't see people talking about their procedures.
I'm wondering, do you guys plan to be public
about that stuff at any time in the future?
I think you'll see more of it.
I think if you look at CJ's keynote at this event,
he said more this time than I've ever heard him say before, right?
So I think we're trying to figure out ways
to do it in a tasteful way
where we're not looking like we're trying to market
or, you know, spread fear or anything along the lines.
But we do a tremendous amount internally
within AWS security and through our team.
We're very collaborative in that way.
We do see a lot.
A lot of that gets worked into our products on behalf of customers into things like Guard
Duty and other places.
And you're right.
We just haven't talked about it quite as much as probably some would like.
And so I think you'll see more of that from us.
Well, I think there's a difference because, I mean, CJ mentioned in his keynote, there's
of the cloud and in the cloud.
And I don't expect you guys to talk about what's going on of the cloud internal to, you know, what's Amazon.
But the things that the customers are seeing, the people that are operating in the cloud,
I would expect we'd see those attack sequences made public.
So if, like, the cyber got hit, we're Amazon customers, right?
If we got hit, we'd like to be able to share that intelligence across and say, you know,
you should have these controls for Wizard Spider or whatever sort of campaign that's going on.
So I would love to be able to see that.
Yeah, we do.
We do it internally.
Like I said, we haven't been as great
at marketing it, essentially.
We're really focused on substance
and getting it in our hands of our customers.
And so we do talk about it with customers directly
and we do incorporate it into the services.
And I think you'll see more of us talking more publicly about it, again, in an Amazonian way.
Amazonian way. I love that.
Well, thank you, sir, for coming on and explaining this. I really appreciate it.
Yeah, absolutely. Thank you for making the trip out.
All right.
We'll see you at the next re-invent, of course.
Oh, please do.
At a re-invent.
That's Rick Howard speaking with Michael Fuller of AWS.
I am pleased to welcome back to the show Matt O'Neill.
He is Deputy Special Agent in Charge for Cyber with the U.S. Secret Service.
Matt, welcome back. Thank you. I know a focus for you and your colleagues is trying to track down and prevent sextortion. It's a tough thing to talk about, but it's important. Can you unpack
it for us here when we say sextortion? What exactly are we talking about? Yes. So in many
cases, what will happen is somebody will
communicate with the victim online. So bad actors will target folks on social media sites,
specifically whether it's Instagram, TikTok, Facebook, and engage them in conversation.
And then eventually recommend them sending a photo of them, you know, usually of something that, you know, like their bodily parts.
So they're sparking a romance sort of or maybe romance may be more sophisticated than it deserves to be described, right?
Yes, without a doubt. is the victim will send a photo and then almost immediately, the bad actor will start extorting them for money
and threatening them that if they don't provide
X amount of dollars, depending on who the victim is.
And again, they do their due diligence.
They know generally if this person is a juvenile,
how much money they probably would have,
or if they're an executive, if they're married.
Because again, we disclose a lot in our social media. So they're doing their own sort of open source analysis as to
who their targets are. And so the extortion amount will be largely based on how much you can afford
to pay. And then what will happen is the victim will send money, whether it's through a cryptocurrency exchange or whether it's through prepaid cards to the threat actor, and then the extortion continues.
It doesn't just stop.
get reached, contacted by a victim, we will do our own investigation and invariably we'll find evidence of not just one victim, but scores of victims. And so then we'll go through the process
of trying to reach out to the victims, let them know that we're working this case as well.
Can we talk about the mindset of someone who finds themselves falling victim to this? I mean, I imagine, of course, there's embarrassment, there's fear.
What's the case that you make that while you're in the midst of all this,
in addition to everything you're dealing with,
it's a good thing to reach out to law enforcement folks like you and your colleagues?
So what the Secret Service agents that contact the victim will try to tell them is a few things. The first is they're not alone. There's resources through victim witness coordinators to try to help support them through these difficult times.
We have made significant arrests overseas.
And so it is not this person that is untouchable overseas.
We will find them and we will work with wherever they're located, the law enforcement there to make arrests.
Sextortion to me personally are cases that I take very personally. Very personally, when I was working up in New Hampshire back in 2014, I worked with the Department of Justice on one of the first sextortion cases. And the victim wound up committing suicide a few years later, largely as a result of the trauma faced during the several months of the sextortion behavior.
of the sextortion behavior. And so wherever we've tried to get involved and engaged in these cases,
that's something that the Secret Service takes very seriously. The Secret Service will work with the FBI, HSI, and any other federal partner that is engaged in these crime schemes. But it is
something that affects men, women, girls, boys, all alike. How much of this
is an educational component of getting the word out, as you say, that you're not alone, but that
also there's not going to be any additional shame here, right? Right. So that is something that the
Secret Service Cyber Fraud Task Forces are trying to push out to all of their local communities that we highly encourage victims to report.
They can report it through the IC3 website.
They can report it to their cyber fraud task forces.
They can report it to the FBI.
They can report it to the local police.
And we're trying to get a handle on how large this problem is.
We see it somewhat anecdotally. and we're trying to get a handle on how large this problem is.
We see it somewhat anecdotally, but we also,
the Secret Service has a rich history of following the money.
Most of our financially motivated cyber criminals get arrested after we have followed the money, and this is no different.
So when a Secret Service agent or analyst is following money in a sextortion case, they will find other victims.
And so we know the problem is a lot larger than reported.
Do you have success stories here?
I think people might think that this sort of thing goes into a black hole somewhere.
But any success stories to share?
Yes.
hole somewhere, but any success stories to share? Yes. So the Secret Service investigated a bad actor in New Hampshire named Ryan Valley, who was sextorting dozens of girls throughout New England.
He was subsequently charged and convicted and served several years in prison. There are other
instances that arrests have been made that have
not been publicly disclosed yet. But I will say with confidence, the U.S. Secret Service, we have
a team in our Global Investigative Operations Center focused specifically on sextortion and
working with our federal partners at both the Department of Justice and the FBI and HSI on
several organized groups,
and I anticipate more arrests to come shortly.
All right. Well, Matt O'Neill is Deputy Special Agent in Charge for Cyber with the U.S. Secret Service.
Matt, thanks so much for joining us.
Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to hear what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us
ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. This episode was produced by Liz Ervin and
senior producer Jennifer Iben. Our mixer is me with original music by Elliot Peltzman.
The show is written by our editorial staff. Our executive editor is Peter Kilby,
and I'm Trey Hester filling in for Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.