CyberWire Daily - Disentangling cybercrime from cyberespionage. A threat to the IoT supply chain. What do you do with the hacktivists when they stop being hacktivists? A retired FBI Special Agent is indicted.
Episode Date: January 24, 2023DragonSpark conducts "opportunistic" cyberattacks in East Asia. ProxyNotShell and OWASSRF exploit chains target Microsoft Exchange servers. The IoT supply chain is threatened by exploitation of Realte...k Jungle SDK vulnerability. CISA adds an entry to its Known Exploited Vulnerabilities Catalog. A Cisco study finds organizations see positive returns from investment in privacy. What's the hacktivist's postwar future? Joe Carrigan tracks a romance scam targeting seniors. Our guest is Pete Lund of OPSWAT to discuss the security of removable media devices. And a retired G-Man is indicted on multiple charges. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/15 Selected reading. DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation (SentinelOne) Technical Advisory: Proxy*Hell Exploit Chains in the Wild  (Bitdefender) Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats (Unit 42) CISA Adds One Known Exploited Vulnerability to Catalog (CISA)  2023 Data Privacy Benchmark Study (Cicso) Hacktivism Is a Risky Career Path (WIRED) Retired FBI Executive Charged With Concealing $225,000 In Cash Received From An Outside Source (Department of Justice, U.S. Attorney’s Office, District of Columbia) Former Special Agent In Charge Of The New York FBI Counterintelligence Division Charged With Violating U.S. Sanctions On Russia (Department of Justice, U.S. Attorney’s Office, Southern District of New York) Former Senior F.B.I. Official in New York Charged With Aiding Oligarch (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
DragonSpark conducts opportunistic cyber attacks in East Asia.
ProxyNotShell and OASSRF exploit chains target Microsoft Exchange servers.
The IoT supply chain is threatened by exploitation of Realtek Jungle SDK vulnerabilities.
CISA adds an entry to its known exploited vulnerabilities catalog.
A Cisco study finds organizations see positive
returns from investment in privacy. What's the hacktivist post-war future? Joe Kerrigan
tracks a romance scam targeting seniors. Our guest is Pete Lund of OpsWatt to discuss the
security of removable media devices. And a retired G-man is indicted on multiple charges. From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary for Tuesday, January 24th, 2023. So are they spies or just crooks? Sometimes it's not obvious, and that's
the case today with a group that's romping through East Asia with some seldom seen but not entirely novel tools.
Sentinel-1 this morning described the activities of a threat actor they're calling DragonSpark.
The researchers are fairly confident it's a Chinese group, but whether it's a criminal or
an intelligence organization remains unclear. The motive behind the attacks could be either financial gain or espionage.
Dragon Spark is making heavy use of SparkRat, a multi-platform and feature-rich tool that's
open source but little seen, and that's also regularly updated with new features.
The attacks use Golang source code interpretation, also an uncommon technique, to thwart static
analysis and evade detection. Bitdefender has observed an increase in attacks using ProxyNot
Shell and OWA SSRF exploit chains to target Microsoft Exchange servers. ProxyNot Shell and
OWA SSRF are exploit chains that launch server-side request forgery against exchange servers.
These exploits can allow an authenticated user to escalate access and carry out remote code execution.
Bleeping Computer reported earlier this month that more than 60,000 exchange servers are still vulnerable to these attacks.
Bitdefender describes several recent attacks
using these exploit chains, including one by the Cuba ransomware operation. Bitdefender says that
most of these attacks targeted entities in the United States, but that companies in Poland,
Austria, Kuwait, and Turkey have also suffered. Look to your patches and look to your mitigations.
also suffered. Look to your patches and look to your mitigations.
Looking at attack records between August and October of last year, Palo Alto Network's Unit 42 researchers discovered that one vulnerability in particular, a remote code execution issue
affecting the Realtek Jungle SDK, was particularly attractive to attackers.
It's unusual, Unit 42 says, to see a single vulnerability account for more than 10% of the attacks detected over a period of time,
but this one accounted for more than 40% of the total number of attacks over those three months.
The researchers wrote this morning,
many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices.
This tells us that threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world.
CISA yesterday added a vulnerability to its known exploited vulnerabilities catalog. U.S. federal civilian executive agencies have until February 13th to apply vendor updates to address CVE-2022-47966 remote code execution vulnerabilities in multiple Zoho ManageEngine products.
They contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency.
vulnerability due to the usage of an outdated third-party dependency.
Cisco this morning released their 2023 Data Privacy Benchmark Study, which takes a foray into privacy and its impact on organizations from the perspectives of security professionals
worldwide. The study details continued strong investments in privacy despite the global economic downturn, reporting an increase from $1.2
million three years ago to $2.7 million today. Organizations believe these are worthwhile
investments, citing the benefits of building trust with customers, reducing sales delays,
or mitigating losses from data breaches as some significant or very significant benefits
from these expenditures. The benefits are estimated to be valued at around 1.8 times
what organizations are spending, with a whopping 94% of those surveyed indicating the value of the
investments outweighing the costs overall. 79% of surveyed professionals believe that regional privacy laws
have been a positive influence,
with privacy legislation present in 157 countries,
12 more than last year.
A majority of respondents, 88%,
reported more comfort in storing their data within their own country lines.
However, the reality, when factors such as costs and security
are considered drives professionals toward globalized organizations. The bulk of respondents,
90%, did report belief that a global provider operating at scale would be better suited for
data protection when compared to local options. Hacktivism has been practiced by both sides during Russia's war against Ukraine,
with both Moscow and Kiev using hacktivists as an auxiliary to their security and intelligence
services cyber organizations. In Russia's case, these auxiliaries have been marshaled to a
significant extent from the Russian organ's long-standing relationship of tolerance and of collaboration with criminal organizations.
The situation in Ukraine has been different,
with more emphasis on recruiting IT sector workers, hobbyists, and script kiddies into the IT army.
An essay in Wired wonders what the IT army's hacktivists in particular can expect once the war is over.
Could they, for example,
be prosecuted for cybercrimes? It seems unlikely that any jurisdiction other than a Russian one would undertake to do so, but Wired considers it a serious possibility. Hacktivists who've
developed their skills during the war do represent an augmentation to a cyber workforce,
and governments might devote
some thought on what to do with them in the post-war world. The essay concludes,
In 2023, voluntary cyber organizations in support of Ukraine may therefore prove to be both an
opportunity and a challenge. Governments would do well to see the IT army of Ukraine as a recruiting ground,
a pool of talent for official cyber-volunteer programs.
Of course, it's possible that they'll go back to their old jobs or find other hobbies to replace their wartime engagement.
If the hacktivists feel, however, that they've discovered their vocation,
then careers in threat research or pen testing could be good possibilities.
And finally, in a black eye for the Bureau, retired FBI agent Charles F. McGonigal,
formerly the special agent in charge of the New York field office, has been indicted for improper
contact with foreign agents. The U.S. Attorney for the District of Columbia yesterday said,
according to the nine-count indictment unsealed today from August 2017 and continuing through
and beyond his retirement from the FBI in September 2018, McGonigal concealed from the FBI
the nature of his relationship with a former foreign security officer and business person
who had ongoing business
interests in foreign countries and before foreign governments. Specifically, McGonigal requested and
received at least $225,000 in cash from the individual and traveled abroad with the individual
and met with foreign nationals. The individual later served as an FBI source in a criminal investigation involving foreign political lobbying over which McGonagall had official supervisory responsibility.
McGonagall is accused of engaging in other conduct in his official capacity as an FBI special agent in charge that he believed would benefit the business person financially.
Some of these actions took place before Mr.
McGonigal retired from the FBI in September of 2018, but he's also in trouble for activity
alleged to have occurred after he completed his career at the Bureau. The U.S. Attorney for the
Southern District of New York, in a separate announcement yesterday, said that Mr. McGonigal
has also been charged with five counts connected with alleged
violation of sanctions against Russian entities. Specifically, he's charged with violating and
conspiring to violate the International Emergency Economic Powers Act and with conspiring to commit
money laundering and money laundering. The sanctioned Russian oligarch Mr. McGonagall is alleged to have been close to
is Oleg Deripaska, who the FBI said in their comment on the arrest,
performs global malign influence on behalf of the Kremlin
and are associated with acts of bribery, extortion, and violence.
Of course, those accused are rightly considered innocent until proven guilty.
The story, however, can't be described as anything other than depressing.
Coming up after the break, Joe Kerrigan tracks a romance scam targeting seniors.
Our guest is Pete Lund of Opswad,
who discusses the security of removable media devices. Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Every few years, we see reports of someone doing a test where they drop a bunch of USB flash drives
in a parking lot to see how many people will find
it, take it inside, and plug it into their work computer without giving it a second thought.
Indeed, infected removable media was part of the plan recently observed from the UNC-4190
cyber espionage group targeting organizations in Southeast Asia. Pete Lund is VP of OT Security Products at OpsWatt,
and I reached out to him for a reality check
on securing removable media.
Although we have seen some of our customers
implement technologies that actually
let you transition the removable media,
the data on the removable media,
from removable media to something
like an internal network share.
So giving you the ability to kind of stop that threat while you do a bit of a check
and move to a more acceptable form of media installation.
That's interesting. Kind of remotely detonate the removable media device.
Yeah, yeah. Give you the ability to check it, see what's on it.
Okay, let me only take the things that are good, known good, and move them into the environment safely.
So, Ben, what are your recommendations?
I mean, people have systems that they need to have air gapped, and when they need to get stuff on and off of them, what kind of options do they have?
So, really, I like to start with the easiest one, which is around policy and procedure.
So really, I like to start with the easiest one, which is around policy and procedure. There's lots of great recommendations, whether they come in the form of like NERC SIP in the US utility, that step and check to say,
validate who is bringing in the media,
validate in a very basic way what's on it.
So people in process are very much at the heart of cybersecurity.
And then as you mature, you can get into doing things like dedicated removable scanning stations,
and even some that provide this ability on the fly in a mobile environment,
or even doing things like transitioning of that media to something that's known good.
So let's say you're standardized on using a specific type of trusted, removable media
in your environment, you can do that transition with some great tools out there.
And what is the state of things when it comes to things like a scanning station?
I mean, are those reliable?
Is that the kind of thing that people can count on?
Yeah, they're highly reliable, and they do it kind of in an interesting way
where a typical computer that you and I might be using right now
might have traditional antivirus, anti-malware programs on it.
What scanning stations do is they leverage multiples of those.
And in OpsWatt, we use up to 30 different scanning engines
to really get close to 100% effective capture of those threats.
And really your earliest way to get access to stopping or discovering kind of a zero debt. We've got lots of different
engines from great vendors that you've heard of around the world. And that really helps that
detection capability. And how do you keep from injecting too much friction in the process here,
you know, slowing down people's work? Yeah, so two different ways we like to tackle that. One is you can actually do this
scanning in that media transition mode that I talked about. So if a contractor is looking to
introduce something in, you can have it scanned as soon as the contractor arrives while they're
checking in, signing their name at the front desk. And then we take technology and go off and do all
that scanning into the background. And by the time the contractor walks their way down into the industrial environment,
that media has been scanned and approved or even transitioned to the industrial environment on their behalf.
So really making it part of that early in the workflow because we know scanning takes time.
And it's all about that time and number of engines and processing.
And we offer some great solutions
that can be deployed and used
in a very, very rapid environment.
And that's great ways to mitigate the time there.
What are your recommendations
for folks who are looking to get started with this,
to go down this pathway?
Where's a good place to begin?
Yeah, so a great pathway
is to start to understand your process. So do you have contractors
bringing in removable media? Is it employees from IT that need to bridge the ITOT gap?
Look at what types of media are coming in. Is it binaries to update things like PLCs and RTUs? Is it
very large size Windows updates? Is it programmable logic data? Take a
look at the data that's coming in and then you can kind of right size your solution for not only the
data, but the threats you're worried about. Are contractors bringing in things like Word documents
or PDFs? All those can be part of the process and understanding and choosing what the right solution can be for you.
And then ultimately, if you can take a strong stance in banned removable media, you can actually have the ability to do some of this scanning prior to someone showing up.
So oftentimes we'll introduce workflows where a contractor is going to be on site next week.
Mr. Contractor, please upload all of your files to this safe and secure portal, and they'll be scanned and ready for you and on Revivable Media when you arrive.
So you can even get that kind of mature with your Revivable Media security program.
That's Pete Lund from OpsWatt.
And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute.
Hello, Joe.
Hi, Dave.
Interesting story. This came by the way of the Associated Press and it's titled Fake General and General
is in quotes, scammed seniors in online romance scheme. This is the kind of thing we cover over
on Hacking Humans quite often. What's going on here, Joe? So this is a story. I don't know why
the dateline's coming out of Providence, Rhode Island, but it's a story
about a Texas man who's pled guilty in a romance scam where he scammed a total of about $1.6
million from women pretending to be a U.S. Army general. Now, his name is Fola Alabi. I think I'm
saying that right. Even though this guy's a criminal, I don't want to disrespect his family name, but he pleaded guilty in the U.S. District Court of Rhode Island. I
guess that's why it's coming out of Rhode Island, because the feds have taken this guy into custody.
I don't know if you're familiar about the difference between, I mean, there's a difference
between federal and state prosecution. You probably are familiar with that of Ben Yellen,
but the feds, when the feds prosecute you, it's a whole different ball game than when you're being prosecuted by a state or a local attorney. It is bad news because one of
the things about the federal government and the lawyers is they do not like losing cases. So
generally they don't take a case unless they're pretty sure they can get a conviction.
I see.
So what exactly was the scam here?
So the scam was he would be on social media sites
and would fake that he was,
or tell these women that he was a general in the army
and stationed overseas.
He went after women in their 70s or 80s
and they were usually widowed or divorced.
And he would then persuade them to send him checks or cash.
And he lived in Richmond, which is near Houston, Richmond, Texas.
The money was then deposited into his bank accounts,
which he then started moving around very quickly.
So the feds have charged him with conspiracy,
which is the romance scam part, and then money laundering,
which is moving the money around and trying to disguise where it came from. One of the victims was a woman from Arizona who
lost $334,000. The prosecutors are saying that she, quote, felt shame, embarrassment, and guilt
over being scammed and now doesn't have enough money to buy food or pay bills as a result.
Wow. I'm hopeful that they can get some of the money back for this poor woman.
Yeah.
Who was scammed out by this, scammed out of a third of a million dollars by this guy.
That was probably her life savings.
In fact, that was her life savings.
There was a Rhode Island woman who sent a check for 60 grand
and was going to send an additional 24, I'm sorry, $240,000,
but her bank determined that she was
being the victim of fraud and put a hold on her account and notified police. So whoever that bank
is, thank you very much. Good job. I wish more banks did this. But that's an interesting trend
though. I mean, I think for, again, something we talk about over on Hacking Humans is that we're seeing more and more of this, even to the point where cashiers at drugstores,
if they see you buying a bunch of gift cards,
they have been trained now to ask you what's going on.
Right.
I went into the Lego store.
Did I tell you this already?
No.
I went into the Lego store to buy some gift cards for my nephews.
Yeah.
And I walk up to the Lego store to buy some gift cards for my nephews. Yeah. And
I walk up to the guy and I say, I need $200 gift cards for my nephew who's in deep legal trouble.
And he looks at me and I go, I'm kidding. I need them for my nephews. But he's like,
that's good because I wouldn't sell them to you. We had a conversation about it.
I told him about this, about our podcast, Hacking Humans.
And he said, well, I'll check it out.
He probably never checked it.
But he'd been trained.
He'd been trained.
Right.
He'd been trained.
Exactly.
He knew what to look for.
Here's something interesting about this.
When federal agents searched a lobby's phone, they found photographs and videos of packages
containing cash and checks he received
from the victims. Dave. It's always good to document your crime. Right. Yeah. Dave,
whenever I'm up to something that is a little silly and my daughter pulls out the cell phone,
I go, that's evidence. Put that away. Right. Right. Right. And I don't understand why these
criminals do this. Hey, look at all this money. I just
scammed this woman out of, let me take a picture of it. I'm glad that he does it. I'm glad that
he did it because that's just more evidence for the prosecutors to use to convict them.
And actually he got a plea or he plead, he pled out sentencing is scheduled for April 25th.
So it'd be interesting to see how much time this guy gets. So I suspect, you know, a lot of folks
in our audience who certainly are better informed than the average person out there, they're probably nodding their
head along with this and thinking, well, I certainly would never fall for something like
this. But I think, first of all, you might. Right. Second of all, that's a dangerous mindset to have.
Yeah. I think, you know, one of the main reasons we share this is that it's good to check in with your loved ones.
Right. That's a good point.
Let them know about this sort of thing.
The older folks, the people who might be vulnerable here, this is an interesting story.
It's great to have a conversation about and use that as a way to discuss some of these potential frauds.
and use that as a way to discuss some of these potential frauds.
Those of us who are in the know kind of have a responsibility to look out for folks who may have a target on their backs.
Right.
And anybody that is going to have a target, two things I want to say.
Everybody has a target on their back.
And it's just a matter of finding out what that target is, which kind of dovetails into the, I would never fall for this kind of mindset.
I said that's a dangerous mindset, and I mean that. You may not fall for this specific scam,
but there is something that will work on you. Pretty much guaranteed there's something that will work on you. When we're talking on hacking humans, every now and then we hit something and
I go, this is one that would work on me. The one thing that comes to my mind every single time, the first example of that is a pickpocketing scheme where a pickpocket will
take a bottle of mustard or ketchup or something and spray it on a kid. And then the kid goes up
to his parent and goes, look what happened. Somebody just got mustard all over me. That
would work on me pretty much every time, right? Because I'm like,
oh, look at your clothes. I can't stand the kids being messy. I would be bending down,
and that's when they reach behind you and pick your pocket. Right. So there are things that
will work on you. You have a trigger. You may not know what it is. The more I think that you
listen to stories like this, the more inoculated and better off you are.
Yeah.
But that does not make you impervious.
Yeah, absolutely.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Urban and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave
Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.