CyberWire Daily - Genesis Market taken down. Proxyjackers exploit Log4j. Fast-encrypting Rorschach ransomware. More Killnet DDoS. Patch Zimbra now. Soft power and Russia’s hybrid war.
Episode Date: April 5, 2023Genesis Market gets taken down. Proxyjackers exploit Log4j vulnerabilities. Fast-encrypting Rorschach ransomware uses DLL sideloading. Killnet attempts DDoS attacks against the German ministry. Carole... Theriault ponders AI assisted cheating. Johannes Ullrich tracks malware injected in a popular tax filing website. Soft power and Russia’s hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/65 Selected reading. 'Operation Cookie Monster': International police action seizes dark web market (Reuters) Stolen credential warehouse Genesis Market seized by FBI (Register) FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers (KrebsOnSecurity) Genesis Market, one of world’s largest platforms for cyber fraud, seized by police (Record) 'Operation Cookie Monster': FBI seizes popular cybercrime forum used for large-scale identity theft (CNN) Cybercrime marketplace Genesis Market shut by FBI, international law enforcement (CNBC) FBI seizes stolen credentials market Genesis in Operation Cookie Monster (BleepingComputer) Notorious Genesis Market cybercrime forum seized in international law enforcement operation (CyberScoop) Proxyjacking has Entered the Chat (Sysdig) Rorschach – A New Sophisticated and Fast Ransomware (Check Point Research) Russian hackers attack German ministry’s website (TVP World) Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA 'Must Patch' List (SecurityWeek) Zimbra vulnerability exploited by Russian hackers targeting Nato countries - CISA (Tech Monitor) CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency CISA) NVD - CVE-2022-27926 (National Vulnerability Database) The Interview - Russian cyber weapons 'could do a lot of damage' in the US: Former counterterrorism czar (France 24) Biden cybersecurity chief 'surprised' Russia has not hit US targets amid Ukraine war (Washington Examiner) Ukrainian Cyber War Confirms the Lesson: Cyber Power Requires Soft Power (Council on Foreign Relations) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Genesis market gets taken down.
Proxyjackers exploit Log4J vulnerabilities.
Fast-encrypting Rorschach ransomware uses DLL sideloading.
Kilnet attempts DDoS attacks against the German ministry.
Herald Terrio ponders AI-assisted cheating.
Johannes Ulrich tracks malware injected in a popular tax filing website.
And soft power and Russia's hybrid war. Johannes Ulrich tracks malware injected in a popular tax filing website.
And soft power and Russia's hybrid war.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 5th, 2023.
Popular online cyber criminal shop Genesis Market was seized by the FBI in an action that resulted in a takedown on Tuesday.
The criminal operation has been linked to millions of cyber incidents across the world,
with over 80 million stolen credentials and fingerprints present on the site, Bleeping Computer reports.
The record describes Genesis Market as a one-stop shop for criminals,
selling both stolen credentials and the tools to weaponize that data.
Unlike other criminal marketplaces, Genesis was unique in that it provided criminals with access to bots and browser fingerprints.
These enabled malicious actors to access a victim's subscription platforms and banking services in a way that bypasses security warnings.
Matthew Gracie McGinn, head of threat research at Natatia, said,
The Genesis Market was an invite-only marketplace that sells only what the market owners term bots. However, you could still discover it through a normal search engine.
CNN reports that the FBI's Operation Cookie Monster was broad in scope,
with many international law enforcement agencies participating. It followed a series of law
enforcement operations involving coordinated arrests and raids. In January of last year,
the FBI and Europol seized computer servers involved in criminal activity, and more recently,
the FBI raided breach forums and arrested its alleged proprietor. Sysdig reports a wave of
proxy jacking against devices vulnerable to log4j exploitation for remote code execution.
It's a criminal-to-criminal play, an illicit version of legitimate proxy-sharing arrangements in which users agree to rent out their bandwidth.
In proxy jacking, the arrangement is not only uncompensated, but it's also forced into a device without the owner's consent.
There's an obvious analogy with crypto jacking.
As Sysdig explains, proxyjacking is a foil to cryptojacking in that it mainly aims to make use of network resources, leaving a minimal CPU footprint.
And of course, the resources can be resold on the criminal market.
Checkpoint is tracking a new strain of ransomware called Rorschach, which is one of the fastest ransomware observed by speed of encryption. The researchers note that the ransomware was deployed using DLL sideloading of a Cortex-XDR dump service tool,
a signed commercial security product, a loading method which is not commonly used to load
ransomware. Checkpoint notified Palo Alto Networks, and Palo Alto stated, Palo Alto Networks and Palo Alto stated,
Palo Alto Networks has verified that Cortex-XDR 7.7 and newer versions with content update version 2.4.0 released November 2021 and later content updates detect and block the ransomware. A new content update will be released next week to detect and prevent the usage of this DLL sideloading technique.
The Russian hacktivist auxiliaries of Killnet have attempted to disable a recently established
German government website devoted to the economic reconstruction of Ukraine. The distributed denial
of service attacks have so far successfully been repelled, a representative of the Federal Ministry for
Economic Cooperation and Development told Spiegel. TVP World reports that the attacks began last week
when the BMZ established the site and continued into yesterday. Proofpoint's report last week on
Winter Wyvern, also known as TA-473, described the Russian threat actor's exploitation of a Zimbra
vulnerability, CVE-2022-27926, to gain access to Zimbra-hosted webmail portals from which the
threat actor can gain access to NATO organizations involved with support for Ukraine. Winter Wyvern
impersonates Western organizations to conduct highly targeted,
carefully prepared fishing operations against its targets. On Monday, CISA added CVE-2022-27926
to its known exploited vulnerabilities catalog. U.S. federal civilian executive branch organizations
have until April 24th to check their systems and secure them. Speaking of CISA,
Director Jen Easterly told the Washington Examiner that, surprising as it's been that Russia hasn't
hit U.S. targets harder to disrupt American support for Ukraine, Russia hasn't been idle
in the cyberspace around Ukraine proper. Easterly said, frankly, I'm surprised that we have not seen attacks against critical infrastructure at home.
Russia's relative restraint seems, she suggests, due to deterrence.
Russia understands that the U.S. would regard a major attack as highly escalatory.
She added, I also think they've been very, very busy in Ukraine.
Though we very much focus on the kinetic activity because it's so horrific,
there's been a lot of cyber activity against Ukraine's critical infrastructure, civilian infrastructure.
The Council on Foreign Relations has an essay on one lesson that might be easily overlooked.
In the piece, author Jason Healy argues that Ukrainian
resilience in the face of Russian cyber attacks is evidence of the importance of soft power in
cyber conflict, stating, Ukraine's cyber defenses have been remarkably resilient. There are multiple
sources of this defensive strength, in particular the savvy energy and determination of Ukrainian cyber
organizations, who've been adapting to Russian offensive campaigns since at least 2014,
has been critical. Kyiv has also been backed by cyber defense assistance from the private sector
and offensive and defensive cyber interventions by U.S. Cyber Command. These advantages were driven in large part by the
strength of Ukrainian soft power. Connections to allies, global tech firms, and networks of
information security researchers allow states to mobilize defenses unavailable to others.
So, alliances, commerce, diplomacy, regular back and forth, all of these lend important resilience in cyberspace.
And that's not a lesson out of the Grand Illusion either, but right off of the virtual battlefield.
Coming up after the break, Harold Terrio ponders AI-assisted cheating.
Johannes Ulrich tracks malware injected into a popular tax filing website.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
I think many of us of a certain age are glad that the Internet wasn't around
when we were foolish youths in high school and middle
school, that not everyone was carrying a camera around, or there was a permanent record of every
message you sent to each other. But what about schoolwork? What about cheating in class and
artificial intelligence? Carol Terrio has been pondering that question, and she files this report.
Today we have Vanya Shvaita. Vanya being a threat researcher at Cisco with 20 years under his belt
in the industry. What he thought about the industry and how it's going to respond to this
whole new chat GPT and open AI and Microsoft's version and Google's version?
And how is the security industry responding to that?
Yes, it's certainly interesting times.
And I think security industry is one of the industries which is very happy to adopt kind of machine learning and artificial intelligence, let's call them.
adopt kind of machine learning and artificial intelligence, let's call them.
But we started very early, you know, with, you know, anti-spam and classification with Bayesian filtering, which is basically a probability filtering where you would get,
if you receive an email, you would get a probability whether some email is spam or not.
So it's a kind of machine learning let's say and and from then on
we move on onwards to uh different models or different ways of classifying malicious content
and i think you know that that will definitely continue in the future there's almost no product
today uh on the market which won't use machine learning and artificial intelligence technology
in one way or another.
So with ChatGPT, I think we were all kind of surprised by the simplicity of it and how
well it can generate text that's much more user-friendly
as opposed to, let's say, Googling in a search engine.
I mean, we are so much used to Google and how we create those queries
and what kind of results do we get that now this sort of fundamental change
of being able to describe what you want to some bot that comes back that
essentially has the knowledge of the internet at some point and generates the most probable text
and the most probable output of what you described in the input is very fascinating.
So do you think we might see a world where we're going to have basically automated threats
being fought with automated security tools?
That's the road we're going down, isn't it, really?
And we're going to sit back eating popcorn.
It's difficult to say.
We certainly are not yet there. And even if you can convince chat GPT to write some malicious code,
that code is actually quite basic compared to the state of the art of the malware code we are seeing today.
And a lot of time when you write something, you really, as a user of it,
when you write something, you really, as a user of it, you need to have such a good experience because the generated code is not always up to scratch. And generated text, for example,
certainly with some fact, is misleading. And some of the facts are certainly not correct.
And the same way it is with the code. So code so so far it's able to create some code
it needs a lot of hand holding to create a little bit more advanced code but but a lot of user
intervention is required now how it's going to develop whether chat gpt 10 or which whichever
version comes will have this ability and And certainly the whole artificial intelligence community is working on new algorithms.
And so you never know when a new revolutionary transformer will appear again.
Yeah, I think that's the big concern I have.
There's a lot of players in the market all playing with quite powerful little tools.
And who knows what's going to spring up where.
So we're all watching the everything all the time.
Yeah, we see now that the JetJPT API is included in many kind of security research and defending side little projects,
but also on the offensive side and trying to kind of kind of reuse that, the knowledge there in adopting to
the environment and attacking some organization. We'll see what will happen, but the fact is that
the technology they already have is still pretty reasonably effective for them. So they don't have
to go and reinvent something completely new at the time.
Yeah. Well, as you say, it's interesting time.
Thank you for sharing your worldview with us,
Vanya Schweitzer, threat researcher at Cisco TELUS. This was Carol Theriault for The Cyber Wire. And it is always my pleasure to welcome back to the show Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, welcome back.
Great to be here, Dave.
So you and your colleagues are tracking an interesting development here with a tax filing
online service. What can you share with us today?
Yeah, it's of course interesting. This happened sort of right in the midst of tax season.
eFile.com, a website that offers e-filing services, as the name implies, was apparently compromised.
And it was compromised around mid-March, stayed compromised at least until the first weekend in April here.
What happened was that malicious code was added to a JavaScript file on the site that directed users to an error page that looked fairly good. It looked like any other browser error page, but it told the user that, hey, you can't connect to this website because your browser is out of date.
And by the way, here we have an update for you.
and by the way, here we have an update for you.
Of course, this update turned out to be malicious and implemented a simple backdoor on victim systems.
So how do you suppose e-file could have found themselves victim of this sort of thing?
I think it falls in the category of supply chain attack.
Some other people noticed that the file actually was modified beginning of March, but
that modification looked benign, something that a developer may have done. It was just simply a
couple lines being added to the file. The file itself is legit. It's called popper.js. It's part
of the larger bootstrap framework. So many sites have a file by that name
with that content minus the malicious lines.
A couple of options here.
Maybe a developer copied the file from the wrong location
that was already pre-pwned, essentially.
Or a developer's workstation got compromised
and an attacker noticed how a developer
was experimenting with this file
and then figured out that, hey, I can add my own code here,
the developer will probably not notice.
And what does it seem like the bad guys are after here?
The bad guys pretty much are after remote control of victim systems.
It's a fairly generic, if somewhat cumbersome, backdoor.
What's almost more scary about it is, based on the way the backdoor is coded,
we are not dealing with advanced, sophisticated adversaries here.
Let's call them the not-so-advanced persistent threat.
Someone who probably stumbled over the ability to edit that file
more or less by accident, then figured out,
hey, let me experiment with the backdoor here.
That's sort of what it looked like.
Any response from the folks at eFile? and then figured out, hey, let me experiment with the backdoor here. That's sort of what it looked like.
Any response from the folks at eFile?
I reported to them as we saw it first via their support page.
They basically asked for details, but that's where it stopped.
I haven't heard from them at all.
They removed the malicious part of the JavaScript on Monday, or Tuesday, Tuesday morning.
So it was April the 4th.
And on April the 5th, so Wednesday, they actually reverted to an older version of the website.
If you're going to the website now with that older version, it's got lots of references to 2021.
Also, a lot of the additional content is being gone.
So they're probably in some form of incident response mode while still trying to keep the business running.
That's what it appears to me.
The website is still not configured right.
There are still very verbose error messages
and a couple of things like this.
EFL.com, the company itself, actually,
if you try to figure out anything about them,
there isn't really much to them.
They don't hire people, it appears.
They don't really have any sort of named executives
that I could find.
It's, I don't know, it's not sort of a company
where there's no LinkedIn presence or so from E everyone. When we try to reach out to them,
it was kind of hard to figure out how to get in touch with them at all.
But it's fair to say that eFile itself is a legit business
and the service they provide is the real deal.
Yeah, it's a perfectly legit website. It's certified by the IRS to provide is the real deal. Yeah, it's a perfectly legit website.
It's certified by the IRS to provide e-filing services.
So it's not that it's an outright malicious website.
That's not the case.
It's a perfectly legit website.
And like I said, it's authorized by the IRS.
I verified this.
And it's not that easy to verify on the IRS website.
But yes, there is a note that e-file.com does business with the IRS,
so they didn't just copy and paste the logo to their website.
Is the lesson here to be cautious of a site
telling you that you need to update your browser?
Definitely. So that's something that you definitely should never do if a site does that.
If that ever happens, close your browser
and then use the browser's built-in update mechanism
to verify if the browser is indeed out of date.
This can happen, but you should never just download anything
because a website tells you to.
That would definitely be odd.
The tricky part here, of course,
is that if a trusted website like this is compromised,
the attacker could tell you, hey, this is tax filing software that you need for e-file.com.
And that, of course, would be even more difficult to figure out for a victim,
not to give any attackers any ideas.
But this attack was definitely not used of used to its full potential.
Yeah, and of course, just timing-wise,
it is that busy time of year for a company like eFile
and also for the folks who'd be using it, it's time-sensitive as well.
Exactly, and that's the other thing with anything time-sensitive like this.
I know we all like to file our attacks on the 15th,
but do it a little bit earlier. So if something like this happens, know we all like to file our taxes on the 15th, but do it a little bit
earlier. So if something like this happens, you have time to react, you have time to think and
maybe go to a different site. Making decisions under duress, if you have to get those taxes
filed today, is always dangerous. All right. Well, there are more details here if folks are interested over on the ISC section of the SANS website.
Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. Thank you. N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.