CyberWire Daily - Firmware comes in through the back door. Leveraging Adobe for credential harvesting. C2C market notes. Hybrid war updates.
Episode Date: June 1, 2023A backdoor-like issue has been found in Gigabyte firmware. A credential harvesting campaign impersonates Adobe. The Dark Pink gang is active in southeastern Asia. Mitiga discovers a “significant for...ensic discrepancy” in Google Drive. "Spyboy" is for sale in the C2C market. A look at Cuba ransomware. Ukrainian hacktivists target the Skolkovo Foundation. The FSB says NSA breached iPhones in Russia. Carole Theriault examines Utah's social media bills aimed at kids online. Our guest is Tucker Callaway of Mezmo to discuss the rise of telemetry pipelines. And spoofing positions and evading sanctions. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/105 Selected reading. Supply Chain Risk from Gigabyte App Center backdoor (Eclypsium) Ado-be-gone: Armorblox Stops Adobe Impersonation Attack (Armorblox) Dark Pink back with a bang: 5 new organizations in 3 countries added to victim list (Group-IB) Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign (CyberScoop) Suspected State-Backed Hackers Hit Series of New Targets in Europe, SE Asia (Insurance Journal) Mitiga Security Advisory: Lack of Forensic Visibility with the Basic License in Google Drive (Mitiga) 2023-05-31 // SITUATIONAL AWARENESS // Spyboy Defense Evasion Tool Advertised Online (Reddit) An In-Depth Look at Cuba Ransomware (Avertium) Russia’s ‘Silicon Valley’ hit by cyberattack; Ukrainian group claims deep access (The Record) Russia says U.S. accessed thousands of Apple phones in spy plot (Reuters) Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil (The New York Times Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A backdoor-like issue has been found in Gigabyte Firmware.
A credential harvesting campaign impersonates Adobe.
The Dark Pink Gang is active in Southeast Asia.
Mitiga discovers a significant forensic discrepancy in Google Drive.
Spy Boy is for sale in the C2C market.
A look at Cuba ransomware.
Ukrainian hacktivists target the Skolkovo Foundation.
The FSB says
NSA breached phones in Russia.
Carol Terrio examines Utah's
social media bills aimed at kids
online. Our guest is
Tucker Calloway of Mesmo to describe
the rise of telemetry pipelines
and spoofing positions
and evading sanctions.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, June 1st, 2023. Researchers at Eclipsium have discovered a firmware backdoor in motherboards sold by Taiwanese hardware manufacturer Gigabyte.
hardware manufacturer Gigabyte. The feature appears to be intended to automate firmware updates, but Eclipsium says it could be abused by threat actors via person-in-the-middle attacks.
The researchers compare the vulnerability to other firmware backdoors such as Lojax,
Mosaic Regressor, Moonbounce, and Vector EDK. The researchers explain that the dropped executable and the
normally downloaded gigabyte tools do have a gigabyte cryptographic signature that satisfies
the code signing requirements of Microsoft Windows, but this does little to offset malicious use,
especially if exploited using living-off-the-land techniques. Eclipsium writes that, as a result,
the threat actors can use this to persistently infect vulnerable systems.
Armor Blocks today reported detecting and stopping an email attack
impersonating Adobe that evaded email security measures.
The threat actor used social engineering to target law firms
by sending emails from a compromised third-party account.
Legal documents were the fish bait.
The fish hooks were malicious hyperlinks leading to pages mimicking Adobe Acrobat.
The landing webpage of those hyperlinks led to a faux Adobe file-sharing page,
with another link leading to a credential harvesting page requesting the
victim's Microsoft login. The threat actors both leveraged the legitimacy of Adobe to reel in
unsuspecting victims, but they were also able to bypass certain Microsoft security measures,
since the manipulation and use of Adobe's legitimate domain bypassed email security checks.
of Adobe's legitimate domain bypassed email security checks. Singapore-based cybersecurity firm Group IB is observing the activities of a threat actor they're calling Dark Pink. At least
13 organizations across nine countries have been victimized by this advanced persistent threat.
CyberScoop reports that recent victims have been located in Brunei, Thailand, and Belgium atop previous attacks targeting the Asia-Pacific region and Europe.
Spear phishing emails are Dark Pink's primary modus operandi, whose custom data exfiltration toolkit has been updated to allow for them to lie low within infected systems and devices.
for them to lie low within infected systems and devices. Their recent targets have spanned the government, non-profit, military, and education sectors, insurance journal reports. Attribution
of DarkPink remains unclear. It walks and quacks like an intelligence service, but whose service
is still unknown. Mitiga released a comprehensive report regarding a significant forensic deficiency
in Google Workspace. This deficiency allows threat actors to exfiltrate data using Google Drive with
no trace. The problem lies in the fact that Google Drive logs are only active in its premium service,
Google Workspace Enterprise Plus. If an organization is not paying
for the service or an employee is not using a paid license, the logs remain inactive. This
allows threat actors to move data without notice. Mitiga writes that all users can access the
workspace and complete actions with the files inside their private company drive. They simply do so
without generating any logs, making organizations blind to potential data manipulation and
exfiltration attacks. Mitiga has alerted Google to this discrepancy, but as of the publishing of
their report, Google had not yet responded. CrowdStrike warns that someone going by the handle Spyboy is selling a new
endpoint defensive Asian tool for Windows on the Russian language forum Ramp. The tool, called
Terminator, is advertised as being able to bypass 23 antivirus and EDR solutions. CrowdStrike notes
that the software requires administrative privileges and user account controls acceptance to properly function.
Upon execution, the binary will write a legitimate signed driver file known as Xamana Anti-Malware to the system.
Avertium has published an extensive look at Cuba ransomware, the Russian operation with no connection to its island nation
namesake, sees a timeline of the operator's activities, notes on indicators of compromise,
and advice on defense and remediation in the study. The timeline is interesting in the way
it shows how a nominally criminal organization can be turned to serve the purposes of the Russian state.
Ukrainian hacktivists posting under the Linux hacker-inspired name Pseudo-RMRF chirped at
Russia's Skolkovo Foundation over Telegram, claiming to have pwned the tech development
agency. The record reports that Skolkovo acknowledged sustaining an attack, but said that its systems were all back up and running.
The hacktivist claims are probably overblown, as hacktivist claims normally are,
but the Skolkovo Foundation has at least experienced some degree of embarrassment.
Headquartered on the outskirts of Moscow,
the Skolkovo Foundation was founded by the former Russian president
and current deputy chairman of the Security Council, Dmitry Medvedev. skirts of Moscow, the Skolkovo Foundation was founded by the former Russian president and
current deputy chairman of the Security Council, Dmitry Medvedev. He charged it with leading the
development of a Russian tech industry that would rival, if not supplant, Silicon Valley.
Reuters reports that Russia's FSB says that the U.S. National Security Agency has succeeded in compromising iPhones used in Russia.
The phones belonged mostly to Russian citizens,
but the FSB says that iPhones belonging to some foreign diplomats were also affected.
The official moral Russia would have public opinion draw from the announcement
is that NSA and Apple are conniving with one another.
As the foreign ministry put it, the hidden data collection was carried out through software vulnerabilities in
U.S.-made mobile phones. The U.S. intelligence services have been using IT corporations for
decades in order to collect large-scale data of Internet users without their knowledge.
So the so-called lesson of the story Russia's
telling is that the Anglo-Saxons aren't to be trusted. And finally, tankers carrying Russian
oil are having their movements concealed by automatic identification systems spoofing.
The purpose of the deception appears to be evasion of international sanctions against Russia,
the New York Times reports.
Why would the tankers spoof their locations?
If tracking data revealed the ship's movements from Russian to customers' ports,
that would be evidence of a prohibited breach of sanctions
sufficient to void the vessel's insurance coverage.
And no shipper wants that.
It's like your teenage driver jacking up your premium with a bunch of speeding tickets.
Or so I've heard.
Coming up after the break,
Carol Terrio examines Utah's social media bills aimed at kids online.
Our guest is Tucker Calloway of Mesmo to discuss the rise of telemetry pipelines.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform secures their personal devices, home Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
We often talk about the challenges in dealing with the metaphorical firehose of data being collected and sent to security teams.
How do you sort through it, route it, tag it, make sure the right stuff is being seen by the right people?
Why automation, of course.
And one flavor of automation being embraced is telemetry pipelines.
To learn more about telemetry pipelines, I spoke with Tucker Calloway, CEO at Mesmo.
I think the rise in telemetry pipelines really stems spoke with Tucker Calloway, CEO at Mesmo.
I think the rise in telemetry pipelines really stems from just the explosion of data.
It's probably the first factor, and that's driven, of course, by dataization, cloud adoption,
microservices, and all that.
The second driving factor, I think, too, is this desire for customers to take more ownership and have more provenance over their data, where that data gets routed to, where it gets stored, how they handle it, and manage to get value out of it over time.
Can you give us an idea of what exactly the sort of tension is here?
I mean, my understanding is that you want to gather data, but if you gather data, it's expensive to hold on to that data.
Yeah, I was going to say that it's more than just cost,
but the main driver is really just cost, right?
There's this desire and a need, frankly, to store data,
especially for security purposes.
Like the timeframe that we typically detect threats
and things like that
is 6, 9, 12 months.
And so there's this requirement imperative for us out there
to store the data for these extended periods of time.
If you take that storage window combined with the volume explosion,
there's a paradigm shift that has to happen
in the old ways of just storing data in a single data store
or in a single tool, they just simply don't scale to the modern cloud architectures.
So how are people coming at this?
Which sort of options have they had available to them?
I think there's a couple of different ways to approach the different options.
I go back to the need to take control of your data.
When you take control of your data, you get to start to make decisions about that data and how it's leveraged over time.
So you can do things like put that data in.
Well, first, you can manage, massage, transform, and route that data in a way that makes it most advantageous for you.
So the challenge with storing all this data is a lot of it isn't valuable until it's extremely valuable until it's absolutely required to go troubleshoot an issue.
But as a result,
we don't need to store that in,
I'd say an expensive vendor data store.
A lot of that data can be stored in more affordable storage facilities like,
like S3 or,
you know,
just more kind of block storage type capabilities and then rehydrate or reuse at the time when it's actually needed.
And the things you need to do to do more analysis and reporting,
the high-value data can be sent directly to those tools
that people use for both observability and security purposes.
How should people come at that?
I mean, if the reality is that you don't always know
when you're tucking away this data,
whether it may ever be valuable,
what's a strategy to deal with that?
I think it varies from company to company,
but the broad strategy has to be to own the data.
And by own the data, I mean,
if you give some of this data to a vendor,
it just sits in their data store
and you're kind of beholden to their abilities.
You're beholden to their cost models.
The ability to choose where this data gets selected gives you an opportunity to decide how do you want to archive that data?
How do you want to manage that data?
How do you want to control the cost of the data?
There's also a number of steps you take along the way. The first thing is you ensure that you don't have duplicate data. And then you ensure that you don't have
data that will not have any value over time. And then a third step might be
then you can compress the data and convert the raw data into
more summarized metrics and things like that. And so there's a series of steps that people can take
to go manage it more effectively. So you both have the
insights and the coverage that you need of your environment,
but you also have the kind of full fidelity
raw log capabilities that you need
when it comes to trouble shooting
and you want to get to root cause
of what actually happened nine months ago.
Do you have a certain amount of sympathy or empathy
for folks who kind of come at this
with a pack rat mentality,
or let's just save everything?
I do, yeah.
One of my big data points is we've been in the log management space
for a long time, and we've been working with customers
for over six years who have this requirement to store this data,
and forever they've been stuck.
I think that's why telemetry pipelines have such a big
rise because they're putting that decision making power they're putting the control back into the
customers hands or into the enterprise's hands so i i absolutely have empathy for them and in fact i've
kind of worked side by side with them over the years trying to solve this problem and
and we realize that the market as the market has as well,
the prevailing trend and an extremely rising trend
is to take control of it.
And the telemetry pipeline is a very strategic control point
to make that happen.
How does this fit into regulatory frameworks?
For people who are required to store data,
how does this slot into those requirements?
I think it's really hand-in-hand. That's one of the reasons I gave the answer
I did earlier, that it depends on each enterprise because, of course,
people with certain or enterprises with certain retention requirements
are going to have to match those. But what you don't want to do is have to match those
retention requirements in an expensive data store. You don't want to be
storing things that aren't required.
And so those regulatory compliance trends, absolutely,
they sit hand in hand.
In a way, the regulatory compliance forces a certain amount of discipline,
and that discipline is actually being carried out less from a regulatory
perspective and more from a cost perspective than applied across enterprises.
What are your recommendations for people
who are starting this journey?
Do you have any words of wisdom as they head down this path?
Yeah, I think, I've said it a couple of times,
but I really think it's like,
don't take control of your data.
Like, don't look at that as just information.
Think about it as an asset of your enterprise. And when you think about your data as one of your data. Don't look at that as just information. Think about it as an asset of your enterprise.
And when you think about your data as one of your core assets,
you think about it differently.
We used to always talk about how every business is a software business.
I think in many ways every business is becoming a data business these days.
We work with people who collect data off chairs, for example,
and that chair telemetry data is actually very strategic for them in terms of how they make business decisions.
So I think you have to look at your data as a product or as a core asset of your company and not just as a necessary evil.
And when you start to treat it that way, you look at it through a very different lens.
And you care for it and you treat it differently.
You make sure that what you have is available.
We think a lot about what we call the cost curve problem.
And that's the relationship between value and cost of data that has become out of whack
over time.
When you take ownership of it, you're essentially saying, I'm going to go manage that cost of
data for my enterprise.
That's Tucker Calloway from Mesmo.
Our UK correspondent, Carol Terrio, has been looking at Utah's social media bills that are aimed at kids online.
She files this report.
So this past year, we have been seeing some U.S. states attempt to crack down on social media by passing bills that, if enforced, will radically change how social media companies can operate, who they can
target, and how they collect data. Let's start with Utah's Governor Spencer Cox. He has a B in
his bonnet about social media. He tweeted more than once that protecting young Utahns from the
harms of social media is one of his top priorities. And since January this year, he's been lamenting
the impacts of social media on the young folks of his state. So at the start of the year, he held a
press conference where he made many statements disparaging social media. Things like, we know
that social media is causing harm and we know that social media can lead to cyberbullying. He said
our mental health is taking a beating and that the social media platforms know this, but are doing nothing.
Governor Cox also reportedly said that the situation requires action.
And in late March, a sweeping social media bill was passed in Utah by Governor Cox, who is very proud of this accomplishment.
He reportedly said, these are the first of their kind bills in the United States. That's huge. And he's right.
These two laws are collectively known as Social Media Regulation Act, and they're to take effect
on March 1st, 2024. One of the bills requires social media companies to verify the age of any Utah resident with an account on
their services. Why? Well, they want to identify users that are under 18 and ensure they have
parental consent in order to use social media. Another point is to access social media between
the hours of 10.30 p.m. and 6.30 a.m., a young Utah user will need their guardian
or parent's consent. Plus, parents and guardian can see everything a young user posts and messages,
effectively enabling parental surveillance of their online behavior. So currently under COPPA, that's the Federal Children's Privacy Law, companies are required to ask a user what age they are and they are allowed to trust that that user is being truthful.
It's not yet clear how the social media networks are actually going to enforce this? Will they have to collect driver's licenses or passports from
all users from Utah in order to verify ages? We shall see. But in the interim, this is obviously
quite controversial. You have privacy advocates saying that this type of law means that people
cannot be anonymous online, and that is a right that they want to protect.
You have kids who don't want these restrictions at all.
And you have parents that are on both sides of the fence.
And note, Utah is not alone.
The Arkansas legislator has introduced a similar bill that would require social network platforms to verify users' age and obtain
explicit parental consent for people under 18. There is a bill introduced in Texas, which is
even more stringent. It would ban social media accounts for minors, period. So things are changing
out there. And it's going to be really interesting to see how these bills in Utah, which have been
passed, will actually look like when it comes to enforcement time. This was Carol Theriault for The Cyber Wire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior
producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show
was written by Rachel Gelfand. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.