CyberWire Daily - From screen share to spyware.
Episode Date: August 28, 2024Threat actors use a malicious Pidgin plugin to deliver malware. The BlackByte ransomware group is exploiting a recently patched VMware ESXi vulnerability. The State Department offers a $2.5 million ...reward for a major malware distributor. A Swiss industrial manufacturer suffers a cyberattack. The U.S. Marshals Service (USMS) responds to claims of data theft by the Hunters International ransomware gang. Park’N Fly reports a data breach affecting 1 million customers. Black Lotus Labs documents the active exploitation of a zero-day vulnerability in Versa Director servers. Federal law enforcement agencies warn that Iran-based cyber actors continue to exploit U.S. and foreign organizations. We kick off our new educational CertByte segment with hosts Chris Hare and George Monsalvatge. Precrime detectives root out election related misinformation before it happens. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s show, our guests are N2K's Chris Hare and George Monsalvatge introducing our new bi-weekly CertByte segments that kick off today on the CyberWire Daily podcast. CertByte Segment Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare, a content developer and project management specialist at N2K, we share practice questions from our suite of industry-leading content and a study tip to help you achieve the professional certifications you need to fast-track your career growth. In each segment, Chris is joined by an N2K Content Developer to help illustrate the learning. This week, Chris is joined by George Monsalvatge to break down a question targeting the Project Management Professional (PMP)® certification by the Project Management Institute®. Today’s question comes from N2K’s PMI® Project Management Professional (PMP®) Practice Test. The PMP® is the global gold standard certification typically targeted for those who have about three to five years of project management experience. To learn more about this and other related topics under this objective, please refer to the following resource: Project Management Institute - Code of Ethics and Professional Conduct. Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify. Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers. Selected Reading  Malware Delivered via Malicious Pidgin Plugin, Signal Fork (SecurityWeek) BlackByte Hackers Exploiting VMware ESXi Auth Bypass Flaw to Deploy Ransomware (Cyber Security News) US Offering $2.5 Million Reward for Belarusian Malware Distributor (SecurityWeek) Services at Swiss manufacturer Schlatter disrupted in likely ransomware attack (SiliconANGLE) US Marshals say data posted by ransomware gang not from 'new or undisclosed incident' (The Record) Park’N Fly notifies 1 million customers of data breach (Bleeping Computer) Taking the Crossroads: The Versa Director Zero-Day Exploitation (Lumen) Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations (CISA) Hundreds of 'PreCrime' Election-Related Fraud Sites Spotted (Metacurity) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Threat actors use a malicious pigeon plug-in to deliver malware. The BlackBite ransomware group is exploiting a recently patched VMware ESXi vulnerability.
The State Department offers a $2.5 million reward for a major malware distributor.
A Swiss industrial manufacturer suffers a cyber attack.
The U.S. Marshals Service responds to claims of data theft by the Hunter's International Ransomware Gang.
Harkenfly reports a data breach affecting one million customers.
Black Lotus Labs documents the active exploitation of a zero-day vulnerability in Versa Director servers.
Federal law enforcement agencies warn that Iran-based cyber actors continue to exploit U.S. and foreign organizations.
cyber actors continue to exploit U.S. and foreign organizations. We kick off our new educational CertByte segment with hosts Chris Hare and George Mansalvachi, and pre-crime detectives
root out election-related misinformation before it happens.
It's Wednesday, August 28th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us, as always.
Threat actors have been delivering malware to instant messaging users via a malicious Pidgin plugin and an unofficial fork of the Signal app. The Pidgin messaging app developers discovered that a plugin named ScreenShareOTR
had made it onto their official third-party plugins list.
The plugin, which claimed to offer screen sharing over the OTR protocol,
actually contained keylogging code and shared screenshots with its operators.
ESET's analysis revealed that the plugin could download and execute malicious scripts,
including the DarkGate malware, which steals credentials and logs keystrokes.
A similar backdoor was found in Cradle, an unofficial signal fork,
which also included malicious code and used the same certificate as the Pidgin plugin.
It also included malicious code and used the same certificate as the Pidgin plugin.
Both the Pidgin plugin and the Cradle app had Linux versions with similar capabilities.
ESET has provided indicators of compromise to help detect these threats.
Security researchers at Cisco Talos have identified that the BlackBite ransomware group is exploiting a recently patched vulnerability in VMware ESXi
hypervisors to deploy ransomware and gain full administrative access to victim networks.
The vulnerability allows attackers to bypass authentication on ESXi systems joined to an
Active Directory domain. By exploiting this flaw, BlackBite can create a malicious EX admins group,
granting themselves administrative privileges. Cisco Talos researchers observed the group using
this vulnerability to deploy ransomware, which spreads across networks using stolen credentials
and vulnerable drivers. Microsoft has also noted similar exploits by other ransomware groups.
Organizations are urged to patch their VMware ESXi systems promptly and implement strong access controls and monitoring to mitigate the impact of these attacks.
a $2.5 million reward for information leading to the arrest of Volodymyr Kalidarya, a Belarusian and Ukrainian national involved in mass malware distribution. Kadayera, also known by several
aliases, was indicted in June 2023 alongside Maxim Silnikow and Andrey Tarasov for wire fraud and computer fraud conspiracy.
Katayera allegedly participated in distributing the Angler exploit kit from 2013 through 2022,
using malvertising and scareware ads to spread malware, including ransomware.
Victims were deceived into downloading malicious software or providing personal information,
which was then sold on Russian cybercrime forums. The scheme also involved selling access to
compromised devices. Silnikow was recently extradited to the U.S. to face related charges.
Schlatter Industries AG, a Swiss industrial manufacturer, experienced a significant disruption in its IT services due to a cyber attack involving malware on Friday.
The company, a global leader in welding and weaving machines, reported that the attackers were attempting to blackmail them,
likely demanding a ransom in exchange for encryption keys or to prevent the release of stolen data.
While the specific malware wasn't disclosed, the nature of the attack suggests it's probably ransomware.
Schlatter has involved internal specialists, external experts, and authorities
to mitigate the damage and investigate the potential theft of data.
The U.S. Marshals Service has investigated claims by the Hunters International Ransomware Gang, which recently posted 386 gigabytes of sensitive data online, including files on gangs, FBI documents, and case information.
U.S. Marshals Service spokesperson Brady McCarron stated that the data does not stem from a new breach, but is identical to information stolen during a ransomware attack on the agency in 2022.
The Marshals Service confirmed that the 2022 incident was significant,
though the group behind it was never identified.
Hunters International, known for high-profile attacks,
is now soliciting monetary offers for the stolen data until August 30th.
The U.S. Marshals Service did not comment on whether they had received any ransom demands,
and the investigation into the previous hack remains ongoing.
The gang's recent actions have raised alarms due to their history of threatening victims to extort money.
have raised alarms due to their history of threatening victims to extort money.
Park and Fly, a major off-airport parking service provider in Canada,
has reported a data breach affecting one million customers after hackers accessed its network using stolen VPN credentials in mid-July.
The breach, which occurred between July 11th and July 13th, exposed personal information
such as full names, email addresses and physical addresses, aero plan numbers and CAA numbers.
However, no financial or payment card information was compromised. The company discovered the
breach on August 1st and has since restored impacted systems while implementing additional
security measures. Park & Fly's CEO, Carlo Morello, expressed regret over the incident and emphasized
their commitment to safeguarding customer data. Customers have been advised to watch for phishing
attempts and consider resetting passwords, especially those linked to Air Canada's frequent flyer program.
Black Lotus Labs at Lumen Technologies discovered the active exploitation of a zero-day vulnerability
in Versa Director servers used by internet and managed service providers to manage SD-WAN
configurations. The vulnerability affecting all VersaDirector versions before 22.1.4 allows
attackers to deploy a custom web shell named VersaMEM, which intercepts credentials and runs
additional Java code in memory. The exploitation, linked to Chinese state-sponsored groups Volt
Typhoon and Bronze Silhouette, began as early as June 2024 and
targeted several U.S. and non-U.S. entities. Black Lotus Labs advises all Versa director users to
upgrade to version 22.1.4 or later and follow Versa Network's security advisories. Due to the
severity and potential impact on strategic assets,
Lumen Technologies has shared this intelligence with U.S. government agencies.
And speaking of U.S. government agencies, the FBI, CISA, and the Department of Defense
Cyber Crime Center have issued a joint cybersecurity advisory warning that Iran-based
cyber actors continue to exploit U.S. and foreign
organizations as of August 2024. These targets include sectors such as education, finance,
healthcare, defense, and local governments in the U.S., as well as entities in Israel,
Azerbaijan, and the UAE. The FBI assesses that these actors aim to gain network access
and collaborate with ransomware affiliates to deploy ransomware,
while also conducting cyber espionage for the Iranian government.
The advisory provides detailed tactics, techniques, and procedures and indicators of compromise,
urging organizations to implement recommended mitigations to defend against these
ongoing threats. The guidance is based on FBI investigations and technical analysis of these
malicious activities. Coming up after the break, a first look at our new educational CertByte segment.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
We are pleased to be kicking off a new bi-weekly educational segment called CertByte.
It's hosted by N2K's Chris Hare, along with George Monsalvachi.
I sat down with Chris and George to find out more about CertByte.
Well, Chris and George, welcome.
It's great to have you here on the show,
and I'm excited to talk about this new segment that we're going to be sharing,
and it is called CertByte.
Can I start with you, Chris?
Before we dig into what CertByte is, can you give us a little bit about yourself and your
own background?
So yes, thanks so much, Dave, for having us.
I'm a project management specialist and content developer here at N2K.
I've been here about a year and a half.
I have about 20 plus years of experience as a writer and certified project manager.
I've worked for several great companies,
including N2K, such as Patagonia, Adobe,
Harbor Freight Tools, and Guitar Center.
I hold about nine professional certifications and counting.
And I'm currently in charge
of all project management-related training
and exam content.
And I'm also the creator and
host of this new podcast segment on your network, Dave, that we're here to discuss called CertByte.
All right. George, how about you? What brings you to the table here?
I am a former Microsoft certified trainer. I've been training on Microsoft or working
with Microsoft for 30,
no, that can't be, 30 years, man, 30 years. Can you believe that? So I have a whole bunch of
Microsoft certifications and I have been working probably for the past 17 years writing content for
practice tests and for people who want to achieve their Microsoft certification.
practice tests, and for people who want to achieve their Microsoft certification.
Well, let's dig into CertByte itself. Chris, what is the premise of this show?
So, Dave, every two weeks, I share a practice question from N2K's suite of top certification exam content and a study tip, basically to help our listeners fast-track their career growth in
IT, cybersecurity, and project management fields.
And in each episode, I feature a guest host and one question from a leading certification exam.
And for the first four episodes, my teammate George here will be my wingman.
George, what sort of things can we expect from the episodes you're going to be part of?
Well, we take a look at the actual exam.
So we take one of the questions and we analyze it
and basically find out why is it right, why is it wrong.
And also, kind of when we do that,
take a look and see how to use the process of elimination
when finding the answers.
Chris, I understand there is also going to be some study
tips here. Yes. So we also share what I like to call a 10-second study bit, which offers a quick
studying or prep strategy for the particular exam we're discussing. So George, obviously you have a
good bit of expertise with the Microsoft-based questions. Are we going to be leaning into that for your segments?
Yes, I will be handling most of the Microsoft-based segments,
but we would like to, and we'll certainly delve into other disciplines,
whether that be project management, CompTIA, Cisco, or others.
So, Chris, beyond the questions themselves,
I mean, there's some additional materials
that you all are supplying as well.
Yeah, so we have show notes
that have some really good info in there too.
Anytime we've used a term
that we think may be helpful
for our listener to delve into
or learn more about,
we link out to our glossary
and that also features work notes
for some of our terms.
And who do you suppose the target audience is here?
I mean, does it go beyond the folks who are just getting started in their career?
It is for anybody who is looking to start their career, pivot at any level of their career,
anybody who has an interest in IT, cybersecurity, and project management fields.
Are you planning on turning the tables on Chris to see how she does there as well?
Well, she is a smart cookie, so I know that she'll do well.
Likewise, George.
So what's the cadence here, Chris?
How often can we expect to enjoy this segment here on the CyberWire Daily?
So it will be biweekly and it will air on Wednesdays.
All right.
Well, without further ado, how about we share the first CertBytes segment with our listeners?
Here it is.
Hi, everyone. it's Chris. I'm a content developer and project management specialist here at N2K
Networks. I'm also your host for this week's edition of CertByte, where I share a practice
question from our suite of industry-leading content and a study tip to help you achieve
the professional certifications you need to fast track your career growth.
Today's question targets the PMP, the Project Management Institute's Project Management Professional Certification, the global gold standard cert, typically targeted for those
who have about three to five years of project management experience. This is not an actual
test question, but an example of one that covers an objective for the 7th edition exam,
which came out in August of 2021. And today, I've invited my teammate George to join me.
How are you today, George? I'm great, Chris. Thanks for having me.
Absolutely. So, George is a highly technical Microsoft expert, and I thought it'd be fun to see how much he knows about project management. So I know you've earned your PMP, George. Is that right? I did. And that was a long time ago, 12 years ago. Can you believe
that? That's all right. I took mine quite a bit ago, so no problem. So George, before we get into
the question, I'm going to share a 10-second study bit for this exam for our listeners. You've
taken the PMP already, but I'd like to know if this resonates with you. So my 10-second study bit for the PMP is do a formula dump once you sit down at your
testing site and get out your scratch paper, because not all credential tests let you do this,
and I'm not sure if Microsoft exams let you do this as well, but I was able to do this for the
PMP. They do? Oh, that's good. It's a huge advantage, isn't it? Oh, yeah. And so do you have a study tip for the PMP you'd like to share as
well? Well, I would just like to add on to what you were saying. You certainly need to dump all
those formulas that are in your brain onto a piece of paper before you take the test. Chris, when I
took that exam, it was three to four hours. It took forever and a day. So my study tip would be when
you go through practice test questions, make sure you go through the practice test questions for at
least a four-hour period so that you are prepared to actually sit the exam to spend the four hours
in that testing room. That would be my tip. Great tip. And it was four hours back in the day when we took it.
It is now just shy of four hours, but that is still a good tip.
So thank you for sharing that.
All right, George, are you ready for your question?
I guess so.
You'll do fine.
So here's your question.
Your project team is due to submit a deliverable today, and you discover a defect in it. You're aware that
your customer does not have enough technical knowledge to notice this defect. The deliverable
technically meets the contract requirements but would fail the fitness to use condition,
which means basically it does not meet its intended purpose. So what should you do in
this situation? And here are your choices. Okay.
Should you A, inform the customer that the delivery will be late?
B, document the matter in the lessons learned for future use?
C, deliver the deliverable, get the formal acceptance and keep quiet?
Or D, discuss the matter with your customer?
or D, discuss the matter with your customer.
So George, while you're thinking this over,
let me give you,
I'm gonna give you a second to think about it while I give you a bit of context around this.
Okay.
So the question is testing your knowledge
of PMI's Code of Ethics and Professional Conduct,
which is a separate document from the PMBOK.
And it basically covers the moral parameters for conduct of a project
manager in their profession. So basically, honesty, responsibility, respect, and fairness.
So all that said, what would be your answer? Well, looking at these choices, Chris, the only
one that works would be discuss the matter with your customer. Let me explain why. So the first
one you said was inform the customer that the delivery is going to be late. You may have to do that, which brings up the other
question or more questions. So that goes back to discuss the matter with your customer. Document
the matter and lessons learned for future use. You're going to have to do that anyway. And keep
quiet. Probably not a good idea. You're going to end up getting sued. So I'm going to go with
discuss the matter with your customer.
Excellent reasoning and excellent choice.
That is the correct answer, D.
You should discuss the matter with your customer.
So according to PMI's Code of Ethics and Professional Conduct, the project manager should protect the best interests of the stakeholders and be honest with them about the true status of the project.
So discussing the matter with your customer is the best approach. Good job, George.
Thank you.
Thank you so much for being my project management guinea pig. Really appreciate your time today.
Thanks for having me.
And thank you for joining me for this week's CertByte. If you're actively studying for
this certification and have any questions about study tips or even future certification questions you'd like to see, please feel free to email me at certbyte at n2k.com.
That's C-E-R-T-B-Y-T-E at n number 2k dot com.
If you'd like to learn more about N2K's practice tests, visit our website at n2k.com forward slash certify. For sources
and citations for this question, please check out our show notes. Happy certifying.
Our CertByte segments will run every other week right here on the CyberWire Daily Podcast.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your And finally, in a twist straight out of Minority Report,
the cybersecurity firm Before AI is playing the role of pre-crime detectives,
just like the precogs from the movie, but with a digital twist.
They're not predicting murders, but they are spotting cybercrimes before they happen,
specifically election-related scams and misinformation campaigns.
These cybercriminals are registering domains
with candidate names like Trump, Biden, Harris, and Kamala
to create believable phishing sites
aimed at stealing personal and financial information
or spreading propaganda. Some sites are laughably amateurish, while others are sophisticated enough to fool
unsuspecting voters. Before AI has even found some pre-crime sites linked to shady cryptocurrency
schemes and others spreading malware. While these bad actors seem more interested in making a quick buck than swinging an election,
their tactics are a reminder that the digital Wild West is alive and well as we head toward the polls.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the
daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people. Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.