CyberWire Daily - Evolution of criminal scams (especially BEC). Law enforcement honeypots. ChatGPT data leak. Hybrid war updates.
Episode Date: March 27, 2023IcedID is evolving away from its banking malware roots. An Emotet phishing campaign spoofs IRS W9s. The FBI warns of BEC scams. A Fake booter service as a law enforcement honeypot. Phishing in China's... nuclear energy sector. Reports of an OpenAI and a ChatGPT data leak. Does Iran receive Russian support in cyberattacks against Albania? My conversation with Linda Gray Martin and Britta Glade from RSAC with a preview of this year's conference. Our own Rick Howard takes a field trip to the National Cryptologic Museum. And De-anonymizing Telegram. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/58 Selected reading. Fork in the Ice: The New Era of IcedID (Proofpoint) Emotet malware distributed as fake W-9 tax forms from the IRS (BleepingComputer) Internet Crime Complaint Center (IC3) | Business Email Compromise Tactics Used to Facilitate the Acquisition of Commodities and Defrauding Vendors (IC3) Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer) 'Bitter' espionage hackers target Chinese nuclear energy orgs (BleepingComputer) UK Sets Up Fake DDoS-for-Hire Sites to Trap Hackers (PCMag Middle East) UK National Crime Agency reveals it ran fake DDoS-for-hire sites to collect users’ data (Record) OpenAI: ChatGPT payment data leak caused by open-source bug (BleepingComputer) OpenAI says a bug leaked sensitive ChatGPT user data (Engadget) March 20 ChatGPT outage: Here’s what happened (OpenAI) How Albania Became a Target for Cyberattacks (Foreign Policy) Russia’s Rostec allegedly can de-anonymize Telegram users (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iced ID is evolving away from its banking malware roots,
and Emotet fishing campaign spoofs IRS W-9s.
The FBI warns of BEC scams.
A fake booter service as law enforcement honeypots.
Fishing in China's nuclear energy sector.
Reports of an open AI and chat GPT data leak.
Does Iran receive Russian support in cyber
attacks against Albania? My conversation with Linda Gray-Martin and Britta Glade from RSAC
with a preview of this year's conference. Our own Rick Howard takes a field trip to
the National Cryptologic Museum and de-anonymizing Telegram.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, March 27, 2023. Iced ID seems to be evolving away from its banking malware roots. Proofpoint this
morning released a report describing three strains of the ICED-ID banking malware
in use by several distinct threat actors.
There's the standard ICED-ID variant.
This is the variant most commonly observed in the threat landscape
and used by a variety of threat actors.
There's the light ICED-ID variant.
This is a new variant observed as a follow-on payload in a November Imhotep infection
that does not exfiltrate host data in the loader check-in and a bot with minimal functionality.
Then there is the forked ICED-ID variant.
This is a new variant observed by Proofpoint researchers in February 2023,
used by a small number of threat actors, which also delivers the bot with minimal functionality.
The classic standard ICED-ID variant is the one most clearly adapted to traditional banking attacks.
The light and forked variants have seen removal of the components typically found in banking malware,
which suggests to the researchers that ICED-ID is evolving away from its traditional uses
and is becoming a loader for follow-on infections.
These sorts of follow-on attacks are likely to include ransomware.
Bleeping Computer yesterday morning reported that a new Emotet phishing campaign
has been observed targeting U.S. victims by sending them bogus W-9 tax forms.
Researchers at Malwarebytes and Palo Alto Network's Unit 42 have observed Emotet malware
targeting U.S. taxpayers with emails containing the fake W-9 tax forms as attachments,
with the phishing email claiming to be from an inspector at the Internal Revenue Service.
claiming to be from an inspector at the Internal Revenue Service.
Brad Duncan of Unit 42 observed that this campaign used Microsoft OneNote documents with embedded VB script files containing and installing Emotet.
Duncan stated,
When launching the embedded VB script file,
Microsoft OneNote will warn the user that the file may be malicious.
Unfortunately, history has shown
us that many users ignore these warnings and simply allow the files to run. Emotet will then
be installed and run on the device, awaiting further payloads and engaging in credential
harvesting. The FBI has issued an alert warning that criminals are launching business email compromise attacks to acquire physical goods in bulk.
The targeted goods include construction materials, agricultural supplies, computer technology hardware, and solar energy products.
The Bureau states, delay the discovery of the fraud, criminal actors apply and are often granted credit repayment terms
known as net 30 and net 60 terms, providing fake credit references and fraudulent W-9 forms to
vendors. The repayment terms allow criminal actors to initiate additional purchase orders
without providing upfront payment. The Record Friday reported that the United Kingdom's National Crime Agency
disclosed secretly running fake DDoS-for-hire sites
to collect data from those involved in cybercrime.
Those who registered for the fake sites would not be given access to attack tools.
Instead, their data would be taken by investigators.
PCMag reports that the sites are designed in a way to collect any user data,
which would then be relayed to appropriate law enforcement.
That includes international law enforcement authorities if the sites were accessed from outside the UK.
The agency reports the creation of several websites.
The NCA says that the fake sites have been accessed by
several thousand people, according to Bleeping Computer. One of the sites was replaced Friday
with a splash page noting that the site was under law enforcement control. Senior NCA officer Alan
Merritt stated, traditional site takedowns and arrests are key components of law enforcement's
response to this threat.
However, we have extended our operational capability with this activity,
at the same time as undermining trust in the criminal market.
Intezer says the Bitter APT is conducting cyber espionage against nuclear entities in China.
Bitter is a South Asian cyber espionage actor known to target Pakistan,
China, Bangladesh, and Saudi Arabia. In its latest campaign, Bitter sent spear phishing emails
posing as the embassy of Kyrgyzstan to target individuals working in China's nuclear energy
industry. The email subject and body used terms and themes that would be familiar with the
recipients in the governmental and energy sectors. The emails contained Microsoft compiled HTML help
or Excel attachments designed to deliver malware. OpenAI last week took ChatGPT offline to patch a
bug that allowed users to see the titles of other people's chat
conversations, Engadget reports. The company also found that some personal and payment information
of ChatGPT Plus users was exposed. According to Engadget, OpenAI states,
Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window.
for some users to see another active user's first and last name, email address, payment address,
and last four digits of a credit card number and credit card expiration date. Full credit card numbers were not exposed at any time. Last September 7, 2022, Albanian Prime Minister
Adi Rama ordered the expulsion of Iranian diplomats and retaliation for an extensive cybersecurity offensive
Tehran had been running against Albanian targets.
Foreign policy reminds its readers that those operations were, for their part,
Iranian retaliation for its sheltering of thousands of members of the MEK,
a once-violent, cult-like Iranian opposition group residing in a fortified camp
in Menez, Albania, after being evacuated from Iraq in 2016. There have been signs since then
of Russian support for Iran's cyber campaign against Albania. While evidence of direct
involvement of Russia's security and intelligence units is circumstantial, ambiguous, and unproven,
Russian privateering criminal organizations like LockBit have recently been active against
Albanian targets. And finally, if sources in Moscow have it right, Telegram is less anonymous
than many have believed. Rostec, a Russian state-owned defense conglomerate, is reported to have developed a way
of de-anonymizing telegram channels, bleeping computer reports. The capability is expected
to be delivered to the FSB and other security units this year. In the account by the dissident
Russian outlet Bell, the effort amounts to a heavy-handed campaign designed to align telegram feeds
with the government line. The tool Rostec has built so far, Hunter, is said to use over 700
data points to make associations and correlations that can lead to unmasking the otherwise anonymous
telegram users. Hunter casts a wide net if it indeed operates as advertised. Such is the public
account of the capability by Rostec and the Russian government, who compare Hunter to Palantir,
but the story seems unlikely to at least some observers. The opposition activist group Roskom
Svoboda writes, but for identifying channel owners, one cannot with certainty assume
that the scheme could work without mixing in
either some kind of zero-day vulnerability
in the Telegram API
or without the cooperation of someone
with administrative access to the messenger servers.
That is, there's either a vulnerability
in Telegram's software
or a compromised insider with considerable access.
Coming up after the break,
my conversation with Linda Gray-Martin
and Britta Glade from RSAC
with a preview of this year's conference.
Our own Rick Howard takes a field trip to the National Cryptologic Museum.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The 2023 RSA Conference is just about a month away,
and for those attending in San Francisco,
it's an opportunity to connect with about 45,000 of your closest friends and colleagues for an intense few days of all things InfoSec.
There are keynotes, talks, presentations, a huge show floor, parties, and a chance to catch up with folks you may not get to see the rest of the year.
The Cyber Wire is an official media partner of RSA Conference.
Wire is an official media partner of RSA Conference. And for a preview of this year's show,
I reached out to Linda Gray-Martin, Senior Vice President of RSA Conference, and Britta Glade,
Vice President of Content and Curation at RSA Conference. Linda Gray-Martin starts us off.
Our event last June, RSAC 2022, was our first in-person event for two years. And I think we quickly realized the joy of our community and being able to meet in person again. And so the theme for this year couldn't really be
more appropriate, stronger together. And we use a famous quote in the description of our theme,
which is from Helen Keller, and says, alone we can do so little, together we can do so much.
And I think it kind
of says it all. We have such a passionate, committed community and protecting the world
from cyber threats is best accomplished by working together and by sharing our successes and failures.
So that's really the kind of backstory of how we got to the theme this year. And we try and weave
it throughout the event. And, you know, you'll see it in sessions as well. Our speakers kind of tend to embrace it.
So you'll definitely see that theme weaving throughout the event.
For folks who are coming out this year, what can they expect?
Are there anything new or a comfortable setting for those who have experienced it before?
So looking at our keynote program, which is refreshed every year,
our goal with our keynote program is
always to provide our attendees with insights from thought-provoking experts. So not necessarily
people who are from the cybersecurity industry, but generally who have some relevance within the
industry. We welcome creative thinkers and industry visionaries who are going to spark
conversation and just make us think a little bit differently. So just some of the speakers we are welcoming this year, we have Lisa Monaco,
the US Deputy Attorney General. We have Dr. Michio Kaku, who has spoken at RSA Conference before.
He's a theoretical physicist. And I know wowed the attendees when he spoke for us a few years ago.
We also have George Kurtz, co-founder and CEO of CrowdStrike.
So somebody within the industry.
And then I think a crowd favorite
is surely going to be Eric Idle,
the co-creator of Monty Python,
a musician and writer.
And he is going to be embracing our theme
and talking about the strength
that he found with his Monty Python team
when they were working on the kind of movie series.
Britta, let me pivot to you then.
I mean, what are your insights?
What are you looking forward to this year?
You bet.
We are the power of the community.
So it's finding the ways to gather people in small ways,
in big ways, in medium ways, because that's when the sparks fly, when the magic happens, when you have conversations and gain perspectives that you may not have had before.
So we've got, gosh, at the end of the day, it'll be over 500 sessions delivered in a wide variety of formats.
Birds of a Feather, last year we introduced those happening throughout the entire event and that really resonated for people. So
that'll happen this year as well, starting at 8.30 in the morning Monday, you'll have the
opportunity to be in those small Birds of a Feather all the way through Thursday. Those are paralleling when the track sessions are going
on too. So I would counsel people strongly. Spend some time looking at the agenda beforehand.
Kind of mark out your path of my must-haves, my it would be nice if, and here's my backup.
As you approach the content, as you approach the expo floor, as you approach a variety of
great social activities throughout the week, you'll find all kinds of things that feel familiar and some new opportunities as well.
There really is so much to see, and it is the kind of conference, the scale of it, I think can be a little overwhelming to first-timers.
Do you have any advice or words of wisdom for folks who may be coming out there for
the first time? Yeah. And thank you for bringing this up, actually, because it's perfect timing
in that this year we are really placing a focus on people who have never been before. We understand
that there's a lot going on and it's big and it's overwhelming, particularly if you're there on your
own. So this year on the Sunday night before the event kicks off on the Monday, we are actually having a get together for first
timers, but also for some of our loyalty plus attendees. So for people who have attended more
than five conferences, we thought that there would be something really special about bringing
the two groups together to really learn from each other.
And we wanted to do it on the Sunday night just to give people the chance to make connections before going into the week. So particularly if you're there on your own, like I said,
that you're meeting people from the get go. So hopefully that will be a success for that group.
And we also do a webcast ahead of time where we run through some tips and
techniques from our team. Many of our team have been on the team for a while and we want to share
the wisdom that we have and impart the knowledge that we have and create a friendly, welcoming
environment for everybody. So for anybody that's attending that this is their first time attending,
we'd love you to come to that reception and give you a chance to get to know some peers and colleagues who will hopefully remain connections of yours for years to come.
I'd like to wrap up with you both and talk a little bit about, again, this theme of stronger together, where I think we're seeing some volatility in the industry that maybe we haven't experienced before.
And we're seeing some volatility in the industry that maybe we haven't experienced before. We're seeing layoffs. And I think there's an opportunity here for folks who may be job hunting to go out and,
you know, pound the pavement there at the show and make some new connections.
I think it's a great point. And, you know, the one thing we always say about RSA conferences,
it's that the convening authority, that one time
a year where the whole community comes together, you know, for as much as the people that can be
there can be. And Britta, I'm going to steal one of your phrases once again, because I really love
the way you coined this phrase, which is honour the community that is yours. And I think it's a really very relevant thing in the scenario
that you outlined. It's like there are so many people that come to RSA Conference that can help
you, that you can help, you know, a whole array of different opinions and people with different
backgrounds and content that's going to help you kind of enrich your perspective of important
topics. So, you know, please come and honor that community that is yours for the taking.
Yeah. And that's why we've created all these opportunities. Every nook and cranny of the
entire city will be full of people, you know, deep in conversation. And one thing I have always appreciated
and loved about our community
is really the support they have for one another.
So absolutely lean in, become stronger together,
share thoughts, share needs,
because I am so inspired every single day
by the camaraderie that was here,
the mentorship that is here,
and really the dedication to helping lift us all together.
Our thanks to Linda Gray-Martin and Britta Glade
from RSA Conference for joining us.
The conference runs from April 24th through the 27th.
We hope to see you there. Just up the road from CyberWire Intergalactic Headquarters is NSA Headquarters,
and on site there is the recently renovated National Cryptologic Museum.
When they reached out with an offer of a behind-the-scenes tour,
my Cyber Wire colleague Rick Howard couldn't resist.
Hey everybody, Rick here.
Have I got a special treat for you.
A couple of weeks ago, I got invited to visit the U.S. National Cryptologic Museum
just outside the National Security Agency's headquarters in Maryland
and meet the director, Dr. Vince Houghton.
So after the obligatory Denny's breakfast with sound engineer Trey Hester and producer Liz Irwin,
the three of us went up to the museum to get a tour and have a discussion with Dr. Houghton
about the exciting new exhibits that he and his team have installed while the rest of us were in
COVID lockdown. Enjoy. My name is Vince Houghton. I'm the director of the National Cryptologic Museum. I've been here since October of 2020. So let's talk about the COVID years,
right? Because you had an opportunity to change things. What was all that about? Well, unlike
everyone else, we had to work during COVID. I mean, everyone worked during COVID. We had to come in
during COVID. And we took advantage of it. I think that one of the things museums never get a chance to do is take a pause and take a break.
So we took the opportunity to do that.
I mean, it was a combination of COVID with new leadership, with new ideas about the direction this museum was going.
So we did everything.
If you haven't been here and you've been to the pre-COVID museum, you'll be amazed at how different it is.
You spared no expense.
Well, no expenses.
We made a lot of trips to Home Depot.
I'm very good at demo.
Other people can build stuff.
I can break stuff down pretty well, and we did a lot of that.
We also had the opportunity to do a full inventory
for the very first time of all of our assets.
We have a warehouse.
NSA runs a warehouse down the road a bit
that had thousands of our artifacts in it.
And we say this all the time,
but it's true in this case.
It looks like the end of Red is a lost art.
It's a government warehouse,
floor-to-ceiling crates.
Some of them hadn't been opened in 50 years.
Some of them had been just sealed up
right after World War ii or after
korea uh after nsa was formed in 1952 and never really looked at again really uh and you know for
us that was really neat i mean as a historian it was nerding out a little bit uh in many cases
though it was frustrating because people put stuff in there without the intent of it being seen in a museum later on.
So the information they gave us was like German cipher machine, World War II, and that was it.
And unless it's an enigma or something similar, we had to do a lot of research to figure out what a lot of this stuff was.
Fortunately, we had the time to do that too.
So we were able to kind of a team effort, figure out what a lot of this stuff was that no one had ever really looked at before. What is the theme that we're going to
see here currently? Is there a thread that kind of walks everything through or? It's not a
chronological thread. So there's, we decided to design this to where you didn't have to go in
order, like a linear path to the museum. I think the big theme is what I call the holy trinity of artifacts.
And that is artifacts that are the first of something.
So serial number zero or the prototype.
Artifacts that are the only one of something.
So maybe they made a thousand of them and there's only one left and we've got it.
Or artifacts that were used by an individual, very specific person, or in a specific historical event.
My goal is to get to 100% of artifacts on display fall within one or more of those three categories. Right now, we're
at about 80%. So the threat is you're seeing every direction you look, things you can only see here.
We're in Washington, D.C. area. We're competing for eyes, right? We're competing with Smithsonian's,
with the Spy Museum. So how do we draw people here? We draw people here with the assets that we have that no one else does.
So do you have a favorite of each of those categories?
I know it's hard to say.
These are my babies.
So my baby is one of the things that we brought in.
I alluded to this already.
Or things that, until we opened, most of the public didn't know NSA actually did.
And that's nuclear command and control.
When I got here, after a little while of kind of figuring out what our assets were, we got a phone call from what we call NC2, nuclear command and control.
And they said, hey, look, all of our stuff is now obsolete.
So our whole generation of equipment that we used is no longer secret or it's going to be declassified
very soon would you want it for the museum and i'm like yeah of course i'm like what are we
talking about here well we're talking about the deck alpha and with the deck alpha made the nuclear
codes i'm like what do you mean the nuclear codes do you mean the the nuclear codes like oh yeah
the the nuclear codes so now we have the servers in the museum that created
the nuclear codes for the president from the 1980s all the way up through just a couple years ago
that's awesome cool as it gets and then historically we have some you know game changing artifacts
whether it's uh the u.s navy cryptolino like bomb which is a big five ton machine that is the only remaining version of uh
about 100 plus machines that we made to break the german navy u-boat four rotor enigma uh that
winston churchill said shortened world war ii by two years um the other hundred and so out of them
were melted down there were five tons of steel those are things that kind of stand out as like uber nerdy for me and really make this museum worth the trip
because there's just nowhere else on earth
you can see this stuff.
You can hear Rick Howard's complete tour of the National Cryptologic Museum as part of CyberWire Pro.
And if you find yourself in the Fort Meade, Maryland area, be sure to stop by the museum for a visit.
It is open to the public and well worth your time. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Thank you. segment called Security, huh? I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are
listed. The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of
the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity
teams and technologies. This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester,
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.