CyberWire Daily - Demo-lition derby: iVerify and Google clash over pixel app pitfalls.
Episode Date: August 16, 2024Google and iVerify clash over the security implications of an Android app. CISA has issued a warning about a critical vulnerability in SolarWinds Web Help Desk. Ransomware attacks targeting industrial... sectors surge. Microsoft is rolling out mandatory MFA for Azure. Banshee Stealer is a new macOS-targeted malware developed by Russian threat actors. A popular flight tracking website exposes users’ personal and professional information. San Francisco goes after websites generating deepfake nudes. Daniel Blackford, Director of Threat Research at Proofpoint, joins us to discuss emerging tactics used by threat actors and trends in e-crime tied to nation states. Scammers Use Google to Scam Google. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Daniel Blackford, Director of Threat Research at Proofpoint, joined us while he was out at Black Hat to discuss emerging tactics used by threat actors and trends in e-crime tied to nation states. Selected Reading Google to remove app from Pixel devices following claims that it made phones vulnerable (The Record) Nearly All Google Pixel Phones Exposed by Unpatched Flaw in Hidden Android App (WIRED) SolarWinds Web Help Desk Vulnerability Possibly Exploited as Zero-Day (SecurityWeek) Microsoft Mandates MFA for All Azure Sign-Ins (Infosecurity Magazine) New Banshee Stealer macOS Malware Priced at $3,000 Per Month (SecurityWeek) Dragos reports resurgence of ransomware attacks on industrial sectors, raising likelihood of targeting OT networks (Industrial Cyber) CISA Releases Eleven Industrial Control Systems Advisories (CISA) FlightAware Exposed Pilots’ and Users’ Info (404 Media) AI-powered ‘undressing’ websites are getting sued (The Verge) Dozens of Google products targeted by scammers via malicious search ads (Malwarebytes) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google and iVerify clash over the security implications of an Android app.
CISA has issued a warning about a critical vulnerability in SolarWinds web help desk.
Ransomware attacks targeting industrial sectors surge.
Microsoft is rolling out mandatory MFA for Azure.
Banshee Stealer is a new macOS-targeted malware developed by Russian threat actors.
A popular flight-tracking website exposes users' personal and professional information.
San Francisco goes after websites generating deepfake nudes.
Daniel Blackford, director of threat research at Proofpoint,
joins us to discuss emerging tactics used by threat actors
and trends in e-crime tied to nation-states.
And scammers use Google to scam Google.
It's Friday, August 16th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. Happy Friday. It is always great to have you with us.
Google and iVerify are clashing
over the security implications of an Android app, Showcase.apk, found on Pixel devices.
iVerify claims the app, used for in-store demos, exposes millions of devices to potential cyber
attacks by allowing hackers to exploit the app to inject spyware and
conduct man-in-the-middle attacks. The app runs at the system level, making it difficult for users
to remove and potentially allowing the operating system to be compromised. Google, however, refutes
the claims, arguing that the vulnerability requires physical access to exploit and isn't an Android platform issue.
Google is taking precautionary steps
by removing the app from all supported Pixel devices,
although it asserts there's no evidence of active exploitation.
iVerify criticizes Google for pushing the app
without giving users the ability to remove it,
warning that this creates an untrusted
ecosystem that could have serious implications for corporate environments where millions of
Android phones are in use. CISA has issued a warning about a critical vulnerability in
SolarWinds' web help desk, which is actively being exploited. This Java deserialization
remote code execution flaw allows attackers to
execute commands on affected systems. While SolarWinds has released a hotfix, the company
noted that exploitation requires authentication, though CISA's quick response suggests it might
have been used as a zero-day. Affected versions range from 12.4 to 12.8, and all users are urged
to apply the patch, especially federal agencies, which must comply by September 5. Yesterday,
CISA issued 11 advisories addressing vulnerabilities in various industrial control systems.
These advisories highlight security issues in Siemens, Aviva, and PTC Kepware products,
among others. The advisories cover a range of products, including Siemens Scalance,
SYNEC, and Teamcenter Visualization, as well as Aviva Historian Web Server and PTC Kepware
Thingworks. CISA urges users and administrators to review the advisories for technical details
and recommended mitigations to protect against potential exploits.
In the second quarter of 2024, ransomware attacks surged, nearly doubling compared to the first
quarter as hacker groups adapted and rebranded. Dragos reported that these groups increasingly
targeted industrial sectors
using sophisticated tactics like zero-day vulnerabilities.
Despite significant law enforcement efforts,
ransomware groups such as BlackSuit and RansomHub remained resilient,
exploiting the interconnected nature of IT and OT systems.
The manufacturing sector was hit hardest, followed by transportation,
government, and oil and gas. Dragos warns that ransomware threats will likely continue evolving
with industrial sectors remaining prime targets. Microsoft announced that multi-factor authentication
will become mandatory for all Azure sign-ins starting in late 2024.
Customers can choose from various MFA methods, including push notifications, biometrics, FIDO2 security keys, and certificate-based authentication.
The rollout will begin in October for Azure Portal and Admin Centers, expanding into 2025 to other tools like Azure CLI and PowerShell.
This requirement is part of Microsoft's broader Secure Future initiative,
aiming to enhance security amid rising cyber threats.
Exceptions apply to users accessing apps hosted on Azure, but not signing in to the Azure Portal.
on Azure, but not signing in to the Azure portal.
Banshee Stealer is a new macOS-targeted malware developed by Russian threat actors, advertised on cybercrime forums for $3,000 per month.
According to Elastic Security Labs, this malware can steal a wide range of data, including
macOS passwords, hardware and software information, keychain
passwords, and data from nine different browsers, such as Chrome, Safari, and Firefox. It also
targets cryptocurrency wallets like Exodus and Ledger. The malware checks for signs of being
analyzed and avoids systems set to Russian. While Banshee Stealer lacks advanced obfuscation,
set to Russian. While Banshee Stealer lacks advanced obfuscation, making it easier for analysts to detect, its broad data collection capabilities pose a significant threat to macOS
users. The malware is typically deployed through social engineering techniques,
malvertising, or trojanized applications. Despite its basic design, its focus on macOS and the
extensive data it can steal make it a serious concern for cybersecurity professionals.
FlightAware, a popular flight tracking website, experienced a data breach exposing users' personal and professional information,
including physical addresses, aircraft ownership, pilot status, and flight activity.
The breach, discovered on July 25, resulted from a configuration error
that potentially exposed user IDs, passwords, email addresses, and more.
FlightAware has required users to reset their passwords and has since fixed the issue.
The exposed data also included billing and shipping addresses,
IP addresses, phone numbers, and partial credit card information.
The San Francisco City Attorney's Office has filed a lawsuit against 16 websites that use AI to
create non-consensual nude deepfakes targeting women and girls. These sites, collectively visited over 200 million
times in the first half of 2024, allow users to upload images of fully clothed individuals,
which are then digitally undressed using AI tools. The lawsuit, announced by city attorney
David Chu, accuses the sites of violating state and federal laws,
including those against revenge porn and child exploitation. The complaint seeks to shut down
these websites, impose civil penalties, and prevent the creation of future deepfake pornography.
Chu emphasized the serious harm these sites cause, especially as advancements in generative AI
have led to a rise in sextortion cases. The legal action reflects growing concerns over
the exploitation of women and girls through AI-generated non-consensual images,
highlighting the urgent need for societal and legal solutions to combat this issue.
Coming up after the break, Daniel Blackford, Director of Threat Research at Proofpoint,
joins us to discuss emerging tactics used by threat actors and trends in e-crime tied to nation states.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Daniel Blackford is director of threat research at Proofpoint, and I recently spoke with him about emerging tactics used by threat actors
and trends in e-crime tied to nation states.
Well, I think our goal is really to have as much coverage as is possible with a task that is largely manual, right?
Kind of taking the telemetry that comes out of these products and then following up with manual investigation, tracking the activity persistently over time so that we ensure, you know, as changes are made by adversaries that we're able to continue to detect and block them.
And by going through this process, day after day after day, over time, trends emerge, right?
You can't not notice them in some cases.
And so I think they are emergent more so than we went looking for them specifically.
Well, let's dig into some of the specifics here.
I mean, what are some of the
things that stood out to you? Well, I think if we're looking at nation states specifically,
you of course have the kind of go-to North Korean actors kind of moonlighting with cryptocurrency.
I think at first it was suspected that maybe they didn't have all of the years ago,
they didn't have all the funding that they needed. And so they were trying to have a second job where
they were mining for themselves. But I think the hypothesis now is that they're actually mining
on behalf of the regime so that they can, I don't know, fund their nuclear research program.
So that's always a fun one.
Yeah. And how about the other usual suspects here?
When we talk about Russia, we talk about Iran.
Sure. So I think with Russia, the trends are not
quite as clear, but there is a very obvious
relationship between the Russian intelligence apparatus and some of the
groups that I would say are predominantly financially motivated. So I think there are
times where based on some access that a e-crime group might have to a particular customer that's
of interest or a particular victim that's of interest to
the Russian state, they might come down heavy and say, hey, if you don't want to be prosecuted,
if you don't want to be shut down, if you want to continue to have us turn a blind eye to your
illicit activity, then we're going to need you to provide us some access. I think there's certainly
been some relationships like that leveraged over time. In fact, I'm pretty sure a very high-ranking Russian intelligence officer
attended the wedding of Maxim Yakovets, who was associated with Evil Corp back in the day.
So you have this kind of tacit relationship where, for the most part, the Russian government says,
as long as you're not targeting Russian citizens, we kind of don't care what you do. But you never know when the long arm of the
government is going to lean heavy on you and kind of leverage your own activity for their benefit.
Yeah, it's interesting. I mean, I suppose there are occasions when it could help provide cover
for nation state activity as as well? There's
perhaps some misdirection, something looks like it's financially motivated, but
as you say, there are ties to nation-state priorities.
Yeah, absolutely. I think attribution is already a difficult half art, half science,
a difficult half art, half science.
And it's only gotten more difficult over the years as who is data goes away.
And we see threat actors leveraging
a variety of commodity malware,
even actors maybe who were previously
maybe devoted to one of the larger banking trojans,
for example, Ice ID, TrickBot,
these types of things now using NetSupport, RAD, and AgentTesla,
and the mass of commodity activity out there
definitely makes attribution harder,
and there's no reason to believe that a nation-state
wouldn't leverage some of that same activity
to try to blend in.
Or just use hosting infrastructure
that financially motivated actors use, again, to kind of blend in with that
traffic. Is there anything specific and noteworthy coming out of Iran?
So with Iran, I can't speak to cybercrime specifically. We certainly have seen activity out of them in the past that maybe looks a little more
like a cybercrime attack would. So for example, Silent Librarian or Magnet Institute was a group
that would spoof library portals at higher education institutions and mass farm credentials from students and
faculties alike. So it wasn't necessarily what you would expect from an espionage-based group,
where it was highly targeted at people who might be doing a specific type of research that they
had interested in or were policy influencers. It was kind of at large, which this kind of spray and pray fishing style,
you more often see out of the financially motivated side.
We have recently seen though some activity that we attribute to an unknown group that is likely likely based out of China. So we saw a variance of ghost rat.
And I think the financially motivated
or e-crime landscape within China
is an area that hasn't necessarily been
very well reported on or understood
by the industry as a whole.
There's a lot going on there.
And I think it's kind of burgeoning in a way.
But there is one particular remote, Axis Trojan, GhostRat,
and we recently saw a variant
of it that was being leveraged
against people
who were doing AI research.
So several
US-based organizations
targeted to
less than 10 individuals. And so it raises
the question, here's kind of a commodity
remote access Trojan. It's been slightly
modified and now it's being leveraged against
targets
who you would expect would maybe align
to the targeting profile
for a group attempting to perform espionage or desiring to perform espionage.
And so you look maybe at the kind of, to your point, use of these generic tools to throw off the scent.
Yeah. For folks who are tasked with defending their organizations, how should they take this information, the things that you and your colleagues at Proofpoint are sharing about some of these trends when it comes to e-crime in nation states?
How do they dial that into their own risk profile?
Well, I think to cover these threats, regardless of risk profile, you're going to have to have a layered defense.
regardless of which profile,
you're going to have to have a layered defense.
But I think for others in the industry who are trying to defend against these things,
I think you should absolutely not rush
to make an attribution.
You should not take every report
that comes out of every vendor at face value.
You have to check, trust, but verify.
And always have the mindset
that regardless of where the information comes from,
you're going to do your absolute best
to corroborate that within your own telemetry and visibility
because I think it's not always necessarily clear
in these muddy waters what is financially motivated
and what ultimately is going to lead
to a longer persistent espionage by,
you know, advanced actors. What about looking at some of the global events? You know, I'm thinking
of the Olympics, you know, things like the upcoming elections here in the United States and
indeed around the world. What is your view into those? Sure. So I actually led our U.S.-based elections research team in 2020.
And I think you're familiar with Selena Larson.
She's actually leading our effort this year.
And the idea was that we would kind of pull together a team who have various kind of subject
matter expertise, people who are tracking different activity, some on the nation-state
side, some on the nation state side,
some on the financially motivated side,
but make sure that all the bases are covered,
BEC, those looking at malware,
those looking at SMS messages
and other forms of communication,
kind of get them all in a room
and brainstorm how we can add alerts
in as many places as possible
and highlight as many kind of trails to track down as it
pertains to these larger events. Certainly, we've seen at past Olympic events some nation-state
activity, I think, you know, specifically referring to Olympic Destroyer there. And we know that the
Russian state does not have a favorable relationship with the World Anti-Doping Agency, for example.
And it has definitely been sanctioned by Olympics in the past. So I think there's, you know, some
motive there. But to your point, we've passed some of the major elections already, and there haven't
been reports of, you know, outright meddling. I think influence operations are always something to consider, but we're
reaching the critical point for the US-based elections. Certainly in 2020, we saw activity
start to ramp up toward the end of August and certainly lead into November. So it's something
that we're monitoring very closely and we'll continue to do so for the rest of the year.
That's Daniel Blackford, Director of Threat Research at Proofpoint.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And finally, scammers are pulling off the ultimate irony by targeting Google's own products through malicious ads on Google's search platform.
According to research from Malwarebytes,
these ads trick users into downloading fake versions of popular Google services like Chrome, Gmail, and more.
It's maddening.
Google, the tech giant with some of the world's most sophisticated algorithms, is struggling to keep those scams off of its own search results.
Despite all its resources, Google seems to be fighting a never-ending battle against scammers
who use its very own tools to deceive users.
It's a frustrating reminder of how pervasive and clever online scams have become,
even managing to outmaneuver the systems designed by one of the most powerful tech companies in the world.
As these scams grow more sophisticated,
it's clear that even Google needs to step up its game to protect its users, and itself, from this ironic twist of fate.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out Research Saturday and my conversation with Sneer Ben-Shemal from Zest Security.
We're discussing their research, how we hacked a cloud production environment by exploiting Terraform providers.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most
influential leaders and operators in the public and private sector, from the Fortune 500 to many
of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for
companies to optimize your biggest investment, your people. We make you smarter about your teams
while making your teams smarter. Learn how at n2k.com.
This episode is produced by Liz Stokes. Our mixer is Trey Hester, with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor
is Brandon Karpf. Simone Petrella is our president. Peter Kilpie is our publisher.
And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. are not only ambitious, but also practical and adaptable. That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.