CyberWire Daily - From cryptostealers to CCTV exploits, from Magecart enhancements to coronation phishbait, cybercriminals have been active. (But so have law enforcement agencies.)
Episode Date: May 2, 2023LOBSHOT is a cryptowallet stealer abusing Google Ads. Coronation phishbait. A known CCTV vulnerability is currently being exploited. T-Mobile discloses another, smaller data breach. New Magecart explo...its. Preliminary lessons from cyber operations during Russia's war. Rob Boyce from Accenture shares insights from RSA Conference. Our special guest is NSA Director of Cybersecurity Rob Joyce. And Europol announces a major dark web market takedown. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/84 Selected reading. New LOBSHOT malware gives hackers hidden VNC access to Windows devices (BleepingComputer) New 'Lobshot' hVNC Malware Used by Russian Cybercriminals (SecurityWeek) Elastic Security Labs discovers the LOBSHOT malware (Elastic Blog) Researchers see surge in scam websites linked to coronation (Computer Weekly)Â TBK DVR Authentication Bypass Attack (FortiGuard)Â T-Mobile discloses second data breach since the start of 2023 (BleepingComputer)Â T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more (Ars Technica)Â T-Mobile Announces Another Data Breach (CNET) Magecart threat actor rolls out convincing modal forms (Malwarebytes) Cyber lessons from Ukraine: Prepare for prolonged conflict, not a knockout blow (Breaking Defense) 288 dark web vendors arrested in major marketplace seizure (Europol) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Lobshot is a crypto wallet stealer abusing Google Ads. Coronation fish bait? Thank you. Rob Boyce from Accenture shares insights from RSA Conference. Our special guest is NSA Director of Cybersecurity Rob Joyce.
And Europol announces a major dark web market takedown.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, May 2, 2023. Elastic Security Labs reports a new trend of Google ad-based malware
that uses an elaborate scheme of fake websites through Google Ads
and embedded backdoors in what appears to users as legitimate installers.
Elastic Security calls this malware strain Lobshot
and describes it as having hidden virtual network
computing capability
that allows Lobshot to remain
undetected by the host machine.
Researchers attribute this
campaign to the Russian cyber group
TA-505,
a well-known cybercrime group
associated with Drydex,
Lockheed, and the Nekors campaign.
Lobshot is used to steal financial data,
specifically going after Chrome extensions associated with crypto wallets.
It also seems to have the ability to target Edge and Firefox wallets.
As Security Week reported,
the malware allows attackers to bypass fraud detection engines
and provides them with stealthy direct access to
the infected machines. Elastic Security explains that it does this by performing a Windows Defender
anti-emulation check, looking for hard-coded values within the emulation layer of Defender.
If they are present, the malware immediately stops running. The malware comes with a built-in GUI which allows attackers to execute specific commands quickly,
such as modifying sound settings, starting browsers, and using the infected machine's clipboard,
presumably to obtain or modify copied wallet addresses.
Researchers have seen an increase in phishing sites centered around Saturday's coronation of King Charles III, Computer Weekly reports.
Kaspersky researchers have discovered many fake memorabilia sites that harvest credentials and steal money.
Not only can the actors behind the faux sites steal information visitors enter,
but the websites themselves are also insecure, allowing for outside hackers to
harvest the entered information. Kaspersky principal security researcher David M. advises
caution when procuring coronation collectibles and recommends sticking to familiar reputable
brands and official sites. FortiGuard Labs is monitoring a spike in the exploitation of digital video recorder authentication bypass vulnerability, CVE-2018-9995, in TBK vision systems.
Many of those systems are white-badged and sold under other vendors' brands.
The researchers observed over 50,000 unique detections in the month of April.
The researchers observed over 50,000 unique detections in the month of April.
The vulnerability arises from an error in the vulnerable application when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this to bypass authentication and obtain administrative access.
The vulnerability has been given a 9.8 CVSS score, which marks it as critical.
The vulnerability was first discovered in 2018, and no patch has so far been issued.
Security Week writes,
Organizations are advised to review the CCTV cameras, DVRs, and related equipment they're using
and remove any vulnerable models from their environments
or ensure that they are protected by a firewall and not directly accessible from the Internet.
T-Mobile saw their second data breach this year, Ars Technica reported yesterday.
The breach apparently started on February 24th and ran through March 30th,
meaning that the attackers had access to personal customer data for over a month.
meaning that the attackers had access to personal customer data for over a month.
This incident followed a January breach of the company's systems that affected 37 million customers.
The magnitude of this breach is not anywhere near so far-reaching, bleeping computer reports,
as the incident affected only 836 customers.
But the information contained in the leak was highly extensive and exposes affected individuals to identity theft and phishing attacks. The carrier released a statement
in late April disclosing that no financial information or call records were released in
the breach, but an array of other personal identifiable information was exposed, including
full name, contact information, account number,
and associated phone numbers, account PIN, social security number, government ID, data birth,
balance due, internal codes that T-Mobile uses to service customer accounts, and the number of lines.
Magecart credit card skimmers are devising new custom fraudulent modals that are said to be thoroughly convincing, Malwarebytes reports.
A modal, the researchers explain, is a webpage element displayed in front of the current active page.
The researchers call the campaigns associated with the skimmer one of the most active mage cart attacks in recent months.
A Parisian travel accessory store was found to be compromised.
The skimmer, which researchers have previously dubbed Crytek,
was injected into the site's CMS and loaded malicious code that impacted checkout on the site.
However, the site does not use a modal, but instead redirects to a third-party processor site
that allows the user to enter their information
and then redirects back to the initial merchant page.
When a user selects the credit card payment option,
the fraudulent modal is displayed and asks for payment card information.
Once it's entered, an error screen will pop up saying the payment was canceled
and will redirect to the merchant's real third-party payment processor.
Malwarebytes calls this a good example of a skimmer that appears trustworthy.
Breaking Defense offers a summary of expert opinion on the early lessons being drawn from the cyber phases of Russia's war against Ukraine.
Widespread fear of a Cyber 9-11 or a Cyber Pearl Harbor,
that is a decisive crippling bolt from the
blue attack in cyberspace has proven unfounded. Breaking Defense says the strategic lesson for
the U.S., several independent experts said, is that this kind of drawn-out cyber conflict
is a more likely model for future wars than the sudden death visions of a cyber Pearl Harbor,
or Cyber 9-11, predicted by U.S. officials for over a decade.
While cyber operations have been and are likely to remain an important part of future wars,
they're unlikely to be decisive war winners,
nor are they likely to produce significant operational-level victories.
In this respect, we note they resemble
their older cousins in electronic warfare, valuable as combat multipliers but not bringing
an overwhelming advantage. It is perhaps worth noting that while the attack on Pearl Harbor
and the terrorist actions of 9-11 achieved operational surprise. Those who carried them out wound up eventually losing the war.
And finally, bravo Europol.
The agency has announced a successful international action, Operation Spector, against a major dark web contraband market.
Their announcement reads,
In an operation coordinated by Europol and involving nine countries,
law enforcement have seized the illegal dark web marketplace Monopoly Market
and arrested 288 suspects involved in buying or selling drugs on the dark web.
More than 50.8 million euros in cash and virtual currencies,
850 kilograms of drugs and 117 firearms were seized. And that, friends, is a lot of stuff that's better off gone. Coming up after the break, a tale of two Robs.
We've got Rob Boyce from Accenture with his thoughts on the RSA conference,
and our special guest, NSA Director of Cybersecurity, Rob Joyce. Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And it is my pleasure to welcome back to the show Rob Boyce from Accenture, where he is the global lead for cyber resilience.
Rob, it's great to have you back.
I want to start off just with your impressions of this year's RSA conference as As you've been walking around, has there been any things that have caught your attention?
Yeah, first of all, it's nice to be back and nice to do this in person.
Yes, it is.
Yeah, I think there's a few things that really stood out to me,
and I'm sure I'm not the first person who's going to say this with you this week,
but AI everywhere.
I think we're seeing a lot of companies become AI companies
overnight by introducing
their integrations
or how they're going to use
OpenAI or ChatGPT to
increase the fidelity of their
product space. So I think that's interesting.
We're also seeing
in that topic with
generative AI, I think is also
what we, I think I must have, every single person I have talked to this week,
this has been a topic of conversation.
Like, how fast is it going to get us to a better place?
And I think a lot of people are really hoping that it's going to solve
some of the skills problems, deficits that we have,
get people upscaled faster, being able to use a generative AI assistant
to be able to ask questions to, so you don't need
to be a deep cyber expert. Maybe
you could leverage the assistant to be
able to augment your own knowledge.
And then we start thinking
about how do we transition
cyber from cyber skills
and being deeply technical to maybe
being better at asking questions.
So I think that'll be interesting.
That's a lot of conversation around that.
Also, space.
That's crazy.
We're talking now about how do we secure space
and space being the 17th segment of critical infrastructure,
I think they're calling it.
So that's going to be fascinating as that unfolds more
and seeing how that is.
So that was a crazy topic that I saw.
And the one thing that I always find when I come here or to Black Hat is how many technology vendors there are in the security space.
And I feel like this is my personal opinion is I think it's causing some of the problems that we have in the security
space, right?
Like there's no less than a thousand probably vendors on the floor, all solving one small
segment of the cyber problem, rather than thinking about how do we integrate these products
that maybe are more of a feature as opposed to an actual tool into a larger ecosystem.
And I think it's causing a lot of confusion maybe for organizations
and it also causes them to buy a lot more technology.
And so this is why we always see when we go to clients,
it's not unusual to have 150 different security technologies
in an environment.
And of course now with the economy the way it is and some uncertainty,
I think there's an opportunity for us to use this time to rationalize those stacks and how do we get more out of investments
we already have as opposed to buying more and more technology. So I think we might be forced
to think that way in the next year or so. But yeah, those are some of the observations anyway,
just walking around. I'm curious, you know, for you as someone who represents an organization that I think it's fair to say is an alpha provider, the scale and the breadth of the things that you and your colleagues at Accenture provide are done at a higher level than many companies who are just smaller than you are and with different sense of capabilities. As you're walking around looking at the startups, the smaller companies,
those scrappy folks who are around the edges,
is it interesting for you to kind of get out of your bubble
because you do so much in-house?
Yeah, for sure.
I really enjoy getting to talk to some of the innovators.
And yes, I am saying two different things
of the same, two sides of the same coin,
I guess is the phrase.
I love seeing the ideas and the innovations
that are coming out and being able to talk to people
around the problems they're trying to solve
and how they're thinking differently.
And just going back to the generative AI
and the upscaling, I think there's a lot of companies
looking at how do we upskill individuals in this space,
whether it's through technology or whether it's through training.
I think just being able to talk to them
and hear the passion that they have around,
we really want to make a meaningful difference in this space
by getting people fluent, I guess, or literate in cyber.
I think that's super interesting also.
I love doing it.
I'd say you could use a little more air conditioning probably
in the hospital floor.
That's fair.
It is hot down there.
And there are a lot of people.
I do think like last year when we did this,
we were talking about is RSA back, right?
And I think last year, you know, I was getting back.
But this year, I think there's more people than there were in 2020.
Oh, yeah.
It's really amazing.
I heard someone today mention
that they'd seen that the attendees doubled this year over last year. Yeah. And I believe it. Yeah,
for sure. And I also find that there's a lot of international people here this year. Like I think
RSA has always been historically very focused on North America for the most part, but there are
every language you can imagine being spoken on the expo floor right now. And just, there's so many
international people.
It's amazing.
Where do you think we stand in terms of headwinds?
Obviously, we have changing economic times, which has affected our industry as well as other folks.
But I'm curious, what are the challenges you see in the year ahead?
I do think people are being asked to do more with less.
So we can expect, I think, no investment being made in Cyra,
but I think there will be probably
consistent investment, maybe not additional.
So I think CISOs and their security organizations
are going to be challenged to do more,
keep pace without having more budget to do it,
which I honestly think is going to be
a good opportunity for them to double down
on the investments they have and think about how to get the most out of them. Because I will tell you, like we see
organizations when we do incidents, they very often have the right technology to have prevented or
reduce the destructive nature of the event. But they don't, you know, they haven't deployed the
technology everywhere or they haven't configured it appropriately or haven't operationalized the processes
and integrated into their SOC perhaps.
So I do think this will be that opportunity to do that.
I think it's actually going to be good for us in some ways
to try and not solve the problem with money
but actually do the hard work.
Yeah, that's interesting.
A little bit of a stress test in a way.
Yeah, yeah.
All right.
Well, Rob Boyce, thanks so much for joining us.
Absolutely. Thank you, Dave.
It is my pleasure to welcome to the show Rob Joyce.
He is the Director of Cybersecurity at the National Security Agency.
Rob, thank you so much for taking the time for us today.
It's great to be here, Dave. Thanks for having me.
So I want to start off by setting the stage a little bit and saying that I grew up sort of in the shadow of the NSA in Howard County, Maryland.
And way back then, it was no such agency, right? And we had many
friends whose parents worked for the agency and would say, what do you do for a living? And they'd
just say, I work for the government. It is remarkable to me how much that has evolved,
that these days, a big part of the agency's work, particularly when it comes to cyber,
is interaction, is outreach, is cooperation with industry.
Can you speak to that a little bit about how that's part of the mission?
Yeah, it's absolutely part of the mission these days.
What we've recognized is U.S. industry, they own, they operate, they defend the Internet.
And all of the threats in that world happen inside their backyards. And so while I
have a capability to look into foreign space about the threats and the operations that are happening
there, I need a partner to work on the things that are on those infrastructures. And that's
the natural place. And you can't achieve the things we need to do without building that level
of trust. Can we talk about some of the mechanisms that are in place? For example, I know you all are
providing support to organizations, non-governmental organizations who are doing business with the
government on the cybersecurity front. Yes. So we opened about three years ago,
the Cybersecurity Collaboration Center. That's focused on the defense industrial base.
So all of the big companies you would know and understand
from their names on the buildings that do defense contracts.
But the defense industrial base is actually 300,000,
at least 300,000 companies.
And it includes those traditional big companies you think of.
But increasingly, the Defense Department relies on the big cloud providers, the incident response providers, all the hardware vendors that make operating systems and all of the foreign threat space and applying it to help them collaboratively secure their environment, we protect the Defense Department's mission.
But in fact, it rolls out into much larger spaces into the rest of the government, into critical infrastructure.
Even you and I at home get protected when I teach a big company about Russian malware or their
tradecraft, they don't apply it just to the Defense Department mission. They apply it to
their whole customer base. And what is the mechanism by which that interaction happens?
Are we at the point where it's bi-directional? It's flowing from industry to you and back and
forth? It absolutely is. So years ago, we would take the things we knew
and we would pass it to companies,
often through an intermediary,
another government agency or another path.
And we just threw that one thing over the wall
and it may or may not have been useful.
Most of the time it wasn't.
And because there wasn't that bidirectional communication,
we had no chance to learn that it was almost what they needed.
But if we changed or answered this one question, it would be better.
We never got things back.
So we now have joint analysis.
We'll pick a Chinese threat.
And the big analysts from industry are pursuing it with their data and on their networks,
and we're bringing that SIGINT information together.
And very rarely is it one substantive piece of information that makes the difference,
but it's the ongoing dialogue and the joint analysis that gets us to really huge discoveries.
Can we discuss the scalability of that?
I mean, when you start a
program like that, when there hasn't been one before, with something as large as cybersecurity,
how do you approach that? Yeah, so we started with one company. It's 100% voluntary. So every
company that works with us does it of their own volition. There's no payment. There's just the agreement that we're going to do good
things together. We're up over 300 now that collaborate. Some of them, many of them on a
daily basis where we're exchanging and working on hard problems. And what we're finding is those
companies are seeing the benefit. That's why they put their resources into this partnership
because it's protecting their customers,
it's protecting their equity,
and it's also protecting the nation.
So they're happy to be in that relationship
where we're providing value
and they see good outcomes.
Certainly here at the RSA conference,
a hot topic is artificial intelligence.
We've been sort of half joking
that on the way to the show
that half the booths would say
we're chat GPT enabled
and the other half would say
we're protecting you from the things
that are chat GPT enabled, right?
I'm curious what the agency's
perspective is on this.
You know, is this something to embrace, to explore, to be wary of?
Where are you all there?
So we have to embrace it.
Whether we like it or not, industry is going there and the technology has emerged and it's going to be impactful.
We do see it much like you framed it.
There's an element of bad guys are going to do innovative things with it.
There's an element of we will be able to do much better defense using it.
And then there's the aspect of, you know, this is a national treasure right now.
These companies have innovated and created things that others are going to look to steal.
And so we've got to help them protect it.
look to steal. And so we've got to help them protect it. But across all three of those,
the way I would characterize it is I think the watchwords are going to be speed and scale,
that using generative AI technologies, you're going to be able to do new things, but mostly new things faster or remove a lot of just the rote work. And so we're going to see the people who
learn to use it be better at either exploiting or defending than those who don't.
What would you like our listeners to know about the way that NSA approaches our adversaries?
The names we hear in the news every day.
We have an effort called
Adversary Defeat. When we stood up the Cybersecurity Directorate, we deliberately
picked a vision statement that we were going to prevent and eradicate malicious threats. And
there was a lot of debate about that word eradicate, because we don't actually have the
authority in NSA to do eradication,
but we thought setting the bar at anything less,
you really wouldn't have the right attitude in the day-to-day engagement.
So our hope is that we're able to generate intelligence,
build technical insights, and then take those things to partners who can. And certainly Cyber Command inside Fort Meade is one of them,
and they have the defend
forward concept where they're not going to just leave the adversary to try and try and try until
they succeed. We're going to put sand in the gears and try to prevent them from achieving the things
they want to do. But it's not just Cyber Command, it's CISA, it's FBI, but also Treasury, State Department, and then all of those commercial
partners we talked about. They all have different and unique ways to put pressure on the adversaries,
shine a light on them, take away their capabilities, sometimes get after them in law
enforcement, or simply harden and do preventative things that will make their jobs harder to achieve their goals.
Before I let you go, as we walk around the show floor here,
there are lots of folks who are just starting out their careers,
looking to figure out, to find their place.
And for some of those people, NSA could be their place.
What's your pitch for them?
What's the mindset of the people you're looking for?
Yeah, so the mindset are folks who want to work on hard problems with wickedly intelligent people in a diverse environment that's going to challenge them every day.
So I came in 34 years ago.
I've had careers inside careers. The most rewarding
thing is if you see something in the newspaper, somebody at NSA is working on that problem,
right, in that national security space. But the really cool ones are the ones that never make the
paper because of the things we're doing. And that's just satisfying. It really is very cool.
Rob Joyce is Director of Cybersecurity at the National Security Agency. Thanks so much for joining us. Thanks, Dave. I really appreciate it.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like
the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting Thank you. about your team while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
This show was written by John Petrick.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.