CyberWire Daily - Developing a banking Trojan into a newer, more effective form. Cyberattacks on media outlets. Abuse of AWS Elastic IP transfer. Notes on the hybrid war. And cybercrooks are inspired by Breaking Bad.
Episode Date: December 21, 2022The Godfather banking Trojan has deep roots in older code. FuboTV was disrupted around its World Cup coverage. The Guardian has been hit with an apparent ransomware attack. A threat actor abuses AWS E...lastic IP transfer. Moldova may be receiving more Russian attention in cyberspace. CISA releases six industrial control system advisories. Ben Yelin looks at legislation addressing health care security. Our guest is Hugh Njemanze of Anomali with advice on preparing for the holiday break. And criminals are impersonating other criminals' underworld souks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/243 Selected reading. Godfather: A banking Trojan that is impossible to refuse (Group-IB) FuboTV outage during World Cup semifinal was caused by cyberattack (Record) Guardian hit by serious IT incident believed to be ransomware attack (the Guardian) Elastic IP Hijacking — A New Attack Vector in AWS (Mitiga) Telegram Hack Exposes Growing Russian Cyber Threat in Moldova (Balkan Insight) Fuji Electric Tellus Lite V-Simulator (CISA) Rockwell Automation GuardLogix and ControlLogix controllers (CISA) ARC Informatique PcVue (CISA) Rockwell Automation MicroLogix 1100 and 1400 (CISA) Delta 4G Router DX-3021 (CISA) Prosys OPC UA Simulation Server (CISA) The scammers who scam scammers on cybercrime forums: Part 3 (Sophos News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Godfather banking Trojan has deep roots in older code.
Fubo TV was disrupted around its World Cup coverage.
The Guardian has been hit with an apparent ransomware attack.
A threat actor abuses AWS elastic IP transfer.
Moldova may be receiving more Russian attention in cyberspace.
CISA releases six industrial control system advisories.
Ben Yellen looks at legislation addressing health care security.
Our guest is Hugh N. Gimanzi of Anomaly with advice on preparing for the holiday break.
And criminals are impersonating other criminals in underworld markets.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 21st, 2022.
Group IB reported this morning that the Godfather banking trojan is currently in wide use against popular financial services worldwide.
The researchers say Godfather is designed to allow threat actors
to harvest login credentials for banking applications and other financial services and drain the accounts.
To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges.
The malware is based on the old Anubis Trojan, updated and improved.
The malware is based on the old Anubis Trojan, updated and improved.
Godfather is offered in the C2C malware-as-a-service market,
and it's distributed in the form of Trojanized applications, Group IB says, sold in Google Play.
Group IB observes that the case of Godfather highlights how quickly Trojan developers can adapt their tools and stay one step ahead of
their Android counterparts. Additionally, it shows how easily available source codes,
such as that of Anubis, can be modernized and relaunched, especially under the malware-as-a-service
model. Significantly, the researchers say, Godfather shuts down on an infected device
if it detects that the user is from Russia or a CIS country,
the Commonwealth of Independent States still being treated as more or less friendly to Russia.
And Godfather seems to have had some success in flying under the incautious user's radar.
Group IB writes,
By imitating Google Protect, Godfather can easily go undetected on infected devices.
Unwitting users believe they are being protected by an Android service,
but in fact the malicious actors gain access to their banking and financial portal accounts.
While Group IB does not have definitive data on the amount of money stolen by operators of Godfather,
the methods harnessed by
malicious actors are cause for concern. Streaming service FuboTV reported that it fell victim to a
cyber attack last Wednesday that knocked out access to the service during the time of the
World Cup semifinal game between France and Morocco. The Record reported that at around 9.20 a.m. that day,
the company reported an investigation into account-related issues, namely logging into
and creating accounts. They reported working to resolve the issue throughout the day,
though they acknowledged at midnight that some people were still unable to access the server.
The Hollywood Reporter says that a statement from the company
released Thursday morning following the incident says that the incident was not related to any
bandwidth constraints on Fubo's part, and Fubo TV takes this matter very seriously.
Once we detected the attack, we immediately took steps to contain the incident and work
to restore service to no longer a concern
and that the World Cup final went off without a hitch.
The British newspaper The Guardian was hit late yesterday by
what appears to have been a ransomware attack. It seems to have affected mostly back office
infrastructure, and the paper says it expects to publish both print and online editions as usual.
The Guardian notes that journalistic outlets are being increasingly subjected to attacks by
nation-states, but goes on to say that this incident appears to be conventional criminal ransomware activity.
Mitiga yesterday released research discussing a new potential threat vector
that leverages an AWS functionality known as Elastic IP Transfer.
In October of this year, a new Amazon VPC feature was released called Elastic IP Transfer.
The function allows for the transfer of Elastic IP addresses between AWS accounts.
Something important to note is that the Elastic IP transfer capability extends beyond the user
and even their organization. The EIPs can be transferred between any active AWS accounts.
If the correct permissions are enabled on the AWS account of a potential victim,
a malicious actor can dive in with a single API
and transfer the EIP of the victim to their own account.
This is noted to be a later stage attack occurring after initial compromise.
Balkan Insight reports that telegram chatter posted online
that represents itself as originating with Moldovan leaders is fabricated.
The communications were presented as exchanged among Moldova's president and two cabinet ministers.
The ministers and the office of pro-European president Maya Sandu
say the content of the alleged conversations is fake,
but Lurie Turcanyu, Moldova's deputy prime minister in charge of digitalization,
says the attacks themselves are real and increasingly sophisticated.
The fabricated contents suggested collusion between the government and criminal elements, and the campaign is regarded as a Russian disinformation effort.
CISA yesterday released six industrial control system advisories.
They cover systems by Fuji, Rockwell, ARC, and ProSys.
As usual, operators of industrial control systems should consult the advisories and apply the appropriate mitigations. Sophos has uncovered a scam campaign that's impersonating various
criminal marketplaces. The researchers first found a spoofed version of the Genesis Market,
which asked users to pay a $100 deposit in order to access the site. The real Genesis Market is invite only. This led the
researchers to discover 19 other sites set up by the same actor. The sites contained some errors,
but they appear professional and appeared prominently in search engine results. The
scammer or scammers also advertised the sites on Reddit, and their Bitcoin addresses have received more than $132,000.
The researchers believe the scam is designed to take advantage of inexperienced researchers, would-be threat actors, and the generally curious.
tying the scam to a user on a criminal forum with the username Walt Cranston,
a portmanteau word that combines the first name of the lead character of the TV show Breaking Bad with the last name of the actor who plays him.
So, Walt Cranston is apparently a Breaking Bad fan.
He's also apparently himself a meth dealer, like his TV hero.
He was listed as a meth dealer on several underground marketplaces.
Walt Cranston was accused by several members of these forums
of setting up scam sites after retiring from dealing drugs.
That whole honor among thieves shtick
didn't work out in the original TV show either.
Good show. Have you seen it?
Spoiler alert, it doesn't end well. So stay away from Los Pollos Hermanos.
Coming up after the break, Ben Yellen looks at legislation addressing healthcare security.
Our guest is Hugh N.imanzi of Anomaly
with advice on preparing for the holiday break.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
As the clock ticks down towards the end of the year and the holidays approach,
there is a palpable low-level anxiety that settles in over folks in the infosec world. Will we be able to
enjoy our long winter's nap or will there be another big one and all hands on deck breach
pulling us away from friends and family? I checked in with Hugh N. Jumanji, founder and president of
Anomaly, for his perspective on the holidays as an attractive target. There are some tried and true principles that should be sort of the first things to check on your list.
There is a notion of defense in depth.
And defense in depth really has to do with kind of layering your security precautions
so that if an opponent gets past one layer, then they run into another
one. So basically succeeding at one part of an attack doesn't necessarily get them to the prize.
And so it's similar to what they used to call that low jack in cars. You look at a car, and if you see that it has some defenses,
maybe you move on to the next car.
And so if you can layer your defense so that there is multiple different hurdles
that someone has to cross, that's a good principle in general.
And there's ways to do that.
So that's one clear strategy to adopt. Another thing is that there are precautions
that are kind of common sense. So when you're looking at, for example, ransomware,
then it helps to have a strong usable backup of all the systems that are critical to you
so that if those systems are held hostage, your first recourse is to ignore the ransom,
wipe those systems, and restore them from a trusted backup.
Now, if you're going to do that, it's important that the backup itself not already be infected
or corrupted. And it's important that you have
confidence that you can restore those backups by actually trying them when there isn't a threat.
So that's one example. With attacks like Log4j, what's insidious about them is that they are vectored in through stuff that you already trust from your actual
provider vendors. In other words, software that you yourself are installing may already be
compromised before it's delivered to you. And so as an organization, you are unaware that you're
inserting Trojan horses when you update your systems. And so, for example,
in the case of Log4j, given that Apache was infected, then it really wasn't anything that
the customer was doing wrong themselves. It's just the fact that Apache itself had already been
compromised. And so in those kind of cases, there is an approach that I think is important,
but not necessarily considered a lot, which is that the first obvious thing is to identify
where you have those vulnerabilities. In other words, if it's a vulnerability in a tool like
Apache, which systems have that deployed?
So that part, I think, is fairly common tradecraft. So if you have 12,000 systems,
then you can do a scan and determine that 10,000 of them have software that can be compromised.
So that's good. But if it's the majority of your systems, it doesn't really
reduce the problem of how do I focus on the most important systems.
This is where I would say there is an approach that can be very complementary to simply cataloging where your vulnerabilities are.
That approach is to combine the catalog with identifying which systems have had external interactions. And more specifically,
if you have relevant threat intelligence, what you want to do is match that intelligence against
which of your systems have been accessed. So the idea is to maybe out of 10,000 systems from the
full 12,000, you want to know maybe 100 of those have actually had
external interactions with potentially malicious actors or known malicious actors.
And so now you have a much more focused game plan you can put in place, which is let me defend those
systems in depth. And also let me analyze those systems to see if they've already been compromised or
something is spreading from those to their neighbors. So again, the idea is not just
which systems are vulnerable, but which ones are interacting with external actors.
Yeah, that's interesting. I'm curious for your take also on the human side of this,
just preparing the team for the possibility that something could come along that'll interrupt their break.
Right.
Well, again, some things are common sense. to stay sort of vigilant and aware so that when you're receiving updates,
you want to use whatever tools you have
that can verify that a particular update
does not have compromises
that the earlier trusted version didn't have.
That might be easier said than done,
but it's a principle to sort of
keep people aware of and train them on. With the human side of attacks, which is basically
anything that relies on extracting information through tricking somebody on their job,
then people always have to be aware that any call they receive or any email
they receive or anything that requires clicking may or may not be what it looks like. Sometimes
it's easy to spot by looking for grammar flaws and so on. So if you're a, what should I call it,
if you're an OCD grammarian,
then those things are going to sort of
trigger your antenna automatically.
But even if you're not,
you should notice anything that looks like
probably not written by the company
that it purports to be coming from.
That's Hugh and Jumanji from Anomaly. And joining me once again is Ben Yellen. He's from
the University of Maryland Center for Health and Homeland Security, and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting article from the folks over at Healthcare IT News.
This is written by Andrea Fox, and it's titled,
Senator Warner Issues Healthcare Cybersecurity Policy Options.
What is going on here with the good senator from Virginia?
So, Senator Warner is the co-founder of the Senate Cybersecurity Caucus.
He's also been the chair of the Senate Select Committee on Intelligence.
So he's a pretty important figure in the Senate.
And he has released a paper on how to improve cybersecurity in healthcare systems, in the healthcare field.
So he makes a number of recommendations.
The biggest, and I think the one that's most noteworthy, is he calls for the creation of
a healthcare cybersecurity czar.
And that would be somebody who evaluates national risk posture in the healthcare industry, figures
out how to respond to cyber incidents among health systems and develops incentives that might help improve
healthcare cybersecurity capabilities.
Remember when czars were once very controversial
as government figures?
Yes, I do.
They're kind of unaccountable bureaucrats.
I think czars are kind of back in favor.
Just somebody who can...
Fashion.
Yeah, they're back in fashion.
It's just somebody who can devote Fashion? Yeah, they're back in fashion. It's just somebody who can devote attention
to a very narrow issue
where even somebody who is the head of CISA, for example,
can't focus narrowly on the healthcare industry.
Well, that was going to be my question.
Where would be the sensible place
for someone who's given this task to live?
Would that be working with CISA?
Yeah, I think it would probably be like a sub-position within CISA. So you just have
one department that focuses on healthcare, and then that's where you put your healthcare
cybersecurity czar. He also came up with a bunch of different policy recommendations that he thinks
should be introduced and passed by
Congress. So things like requiring HHS to perform more regular updates on HIPAA, particularly as it
relates to new technology, new applications, and consumer devices, a workforce development program
that focuses specifically on healthcare cybersecurity, minimum cybersecurity hygiene
practices for hospitals and health systems, where you
have incentives for compliance and disincentives for noncompliance, addressing the problem
of legacy systems.
I know that's been a huge issue.
Oh, yeah.
Many health systems rely on, you know, the equivalent of Windows 98 in their offices.
Right.
And that certainly presents major vulnerabilities. We've certainly seen that
at the government level as well. For example, in Maryland, our Department of Health in the state
was vulnerable to a ransomware attack in the winter of 2021, largely because we were using
legacy systems. His last proposal would be to require a software bill of materials for all software and
devices used in healthcare. So this is kind of a manifesto for this area of cybersecurity policy.
I think it's aspirational. It's really not going to happen in the next couple of weeks in this
current Congress, but he's going to maintain this role as a cybersecurity
expert and also with his chairmanship in the Senate. So it's something that I think we should
pay attention to in the next couple of years. Yeah, that's part of my next question, which is
someone in his position who sits on the committees that he sits on.
What is his ability to push something like this through? How does he go about that?
Well, you hold a lot of committee hearings and get some testimony from experts. And then,
you know, the way Congress works is it's really hard to pass anything.
But you probably try and get this...
Does he find something else to slip this into? Exactly. Yeah. It'll be like the shelter for puppies bill
and tucked in a tiny little provision for healthcare cybersecurity policy.
Right, right.
But more seriously, this is the type of thing that would be included
in more like an omnibus cybersecurity bill.
I see.
But that's why you present these ideas in the first place.
So when that vehicle comes across the Senate, comes in front of a committee and onto the Senate floor, you already have a set of proposals that you can kind of log roll into that larger bill.
And I think that's what his goal is here, is to set out these aspirational goals and then see how much of it can be attainable certainly in the next couple of years.
Do you spot anything controversial in here?
I mean, I think we're still in a mode where it seems like cybersecurity provisions are generally adopted or encouraged in a bipartisan way.
Yeah, I agree.
I don't see anything that jumps off the page that's going to be, you know, like a shouting match on cable TV news about any of this.
like a shouting match on cable TV news about any of this.
I will say that some of the disincentives for hospital systems,
penalties for noncompliance,
penalties for not following minimum cyber hygiene practices,
you might get pushback from the industry.
Hospitals and health systems.
Right, additional regulatory burden.
Right, which certainly I understand,
but they're also going to be given incentives for good behavior.
But that's where I would see the area for the most potential pushback.
No industry likes to be regulated and likes to be subject to noncompliance penalties from the federal government. And hospitals and health systems are powerful influences in Washington.
They have some of the best lobbyists out there.
So I think that would be the one area
that would be particularly controversial.
But I wouldn't guess that that would be a burden
for overcoming this general policy framework
on healthcare cybersecurity.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you. Cyber threats are evolving every second and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution
trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe
and compliant. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Erman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Vermatzis,
Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janine Daly,
Jim Hoshite, Chris Russell, John Patrick, Jennifer Iben, Rick Howard, Peter Kilby, Simone Petrella,
and I'm Dave Bittner.
Thanks for listening. We'll see you all back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.