CyberWire Daily - Hackers like to move it, move it. Skimmers observed targeting Americas and Europe. Hybrid war activity.
Episode Date: June 2, 2023MOVEit Transfer software sees exploitation. A website skimmer has been employed against targets in the Americas and Europe. A look into XeGroup's recent criminal activity. Apple denies the FSB’s all...egations of collusion with NSA. Kaspersky investigates compromised devices. Johannes Ullrich from SANS describes phony YouTube "live streams". Our guest is Sherry Huang from William and Flora Hewlett Foundation to discuss their grants funding cyber policy studies. And the US Department of Defense provides Starlink services to Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/106 Selected reading. MOVEit Transfer Critical Vulnerability (May 2023) (Progress Software) Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability (Rapid7) New MOVEit Transfer zero-day mass-exploited in data theft attacks (BleepingComputer) Hackers use flaw in popular file transfer tool to steal data, researchers say (Reuters) New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others (Akamai) Not your average Joe: An analysis of the XeGroup’s attack techniques (Menlo Security) Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin (The Hacker News) Apple denies surveillance claims made by Russia's FSB (Reuters) FSB uncovers US intelligence operation via malware on Apple mobile phones (TASS) Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own (WIRED) Operation Triangulation: iOS devices targeted with previously unknown malware (Kaspersky) Lithuania becomes first to designate Russia as terrorist state (CSCE) Pentagon confirms SpaceX deal for Ukraine Starlink services (C4ISRNET) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Move-It Transfer Software sees exploitation.
A website skimmer has been employed against targets in the Americas and Europe.
A look into Z Group's recent criminal activity.
Apple denies the FSB's allegations of collusion with NSA.
Kaspersky investigates compromised devices.
Johannes Ulrich from SANS describes phony YouTube live streams.
Our guest is Sherry
Huang from the William and Flora Hewlett Foundation to discuss their grants funding
cyber policy studies. And the U.S. Department of Defense provides Starlink services to Ukraine.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, June 2nd, 2023. Hackers like to move it, move it, as the song says,
and they've been observed exploiting a vulnerability
in Progress Software's MoveIt Transfer managed file transfer software,
the company disclosed Wednesday.
Researchers at Rapid7 say they've observed exploitation of the vulnerability before it was disclosed,
and these attacks have increased since its disclosure.
The researchers note,
our teams have so far observed the same web shell name in multiple customer environments,
which may indicate automated exploitation.
Bleeping Computer reports that attackers are exploiting the vulnerability
to perform mass downloading of data from organizations.
Reuters quotes Mandiant's chief technology officer as stating that
mass exploitation and broad data theft has occurred over the past few days.
Rapid7 adds that the MoveIt transfer Advisory has contradictory wording on patch availability, but that fixed versions of the software are available as of yesterday and should be applied on an emergency basis.
Researchers at Akamai describe a Magecart-style web skimmer campaign that steals credit card information and personally identifiable information by exploiting legitimate websites.
So far, the researchers have identified victims in North America, Central America, and Europe.
The new campaign represents an evolution over its Magecart predecessor.
While Magecart typically exploited Magento systems,
the criminal activity Akamai describes also afflicts WooCommerce, WordPress, and Shopify,
showing the growing variety of vulnerabilities and abusable platforms that are available for
attackers, according to Akamai. This campaign seems to be a long-term effort that works to
conceal itself by setting up C2 nodes in victims' websites, creating a host by which they can then distribute malware
to other secondary retail websites.
Some of the deceptive hosting operations involve repeat victims.
The researchers say they've seen a host abused twice,
once in the initial infection,
and a second time when the threat actors employ their web skimmer.
To obfuscate and hide their code,
the actors have imitated third-party services like Google Analytics and Google Tag Manager.
Another report on skimmers claims to have identified the individual behind a series
of incidents. The hacking outfit Z Group, active since at least 2013, uses a multitude of tactics,
techniques, and procedures in its cybercriminal activity, Menlo Security reports.
The gang has been observed having involvement in supply chain attacks that resemble Magecart.
The gang has also been seen creating fake websites in order to lift personal information, as well as selling data on the dark web. The Hacker News reports that the gang has been known to compromise internet-exposed servers
with well-known exploits and monetize the intrusions
by installing password theft or credit card skimming code for online services.
One of the identities of an associated hacker has been revealed as Win Hu Tai,
seen also going by the names Joe Nguyen and Tan Nguyen.
The researchers assess that it's highly likely that this threat actor is based in Vietnam.
Apple denied working with NSA or any other agency to backdoor its own products
in the interest of espionage or surveillance, Reuters reports.
In response to FSB charges that Apple had colluded with the U.S. National Security Agency
to enable surveillance of Russian iPhone users, Apple said it had never worked with any government
to insert a backdoor into any Apple product and never will. TASS reported the FSB's allegations
yesterday, saying that the information obtained by the Russian special services demonstrates
close cooperation between Apple and the U.S. national intelligence community, in particular
the US NSA. They claim that Apple provided U.S. intelligence services with data. The FSB's claims
have been received with some skepticism. Wired, for example, characterizes the allegations as wild.
Meanwhile, Russian cybersecurity firm Kaspersky has observed zero-day exploitation of some of
its iPhones by an unknown APT using imperfectly understood techniques. Kaspersky doesn't offer
any attribution for the operation, dubbed Operation Triangulation, and doesn't allege Apple collusion with the attackers.
The exploit is delivered via iMessage and is triggered without user interaction.
The researchers are still analyzing the final payload
and so far have determined that the code is run with root privileges,
implements a set of commands for collecting system and user information,
and can run arbitrary code downloaded as a plug-in module from the CNC server.
The company describes the payload as a fully featured APT platform. Kaspersky says that
Operation Triangulation has been in progress since 2019 and that it continues into the present.
progress since 2019 and that it continues into the present. Russian cyber auxiliary no-name 05716 has been conducting DDoS and defacement campaigns against Lithuanian websites this week.
On Monday, the group posted on its Telegram page that they would begin attacks against
Lithuanian targets in response to the country's continued support of Ukraine and the decision to classify Russia as a terrorist state.
The Lithuanian government's statement reads,
The war against Ukraine by the Russian Federation is a genocide of the Ukrainian nation carried out by Russia.
The Russian Federation is a country that supports and executes terrorism.
No Name claims it has attacked 39 Lithuanian websites since Monday, May 29th.
The group this week seems to have focused principally on Lithuania, with a few attacks
against Latvia interspersed with its actions against Lithuanian targets. The group's attacks
seem to be randomly dispersed across sectors that include agriculture, financial, and energy.
across sectors that include agriculture, financial, and energy.
And finally, the U.S. is funding Starlink communications for Ukraine, C4ISR.net reports.
Because of the sensitivity of the nature of the services provided,
the Department of Defense provided no information on their cost, duration, or coverage.
Starlink has, over the course of the war, provided valuable and resilient connectivity to Ukraine.
Coming up after the break, Johannes Ulrich from SANS describes phony YouTube live streams.
Our guest is Sherry Huang from the William and Flora Hewlett Foundation
to discuss their grants
funding cyber policy studies.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The William and Flora Hewlett Foundation is providing grants to fund cyber policy studies
at four institutions serving diverse student populations.
Spelman College in Atlanta
and Tallahassee's Florida A&M University,
two historically black institutions,
Florida International University in Miami,
a Hispanic-serving institution,
and Turtle Mountain Community College,
a tribal college in Belcourt, North Dakota.
To learn more
about the grants, I spoke with Sherry Huang, Interim Program Officer for the Cyber Initiative
and also the Special Projects Fellow at the Hewlett Foundation. The Hewlett Foundation has had
a pivot or like has increased the momentum of focusing on racial justice since 2020 and the murder of
George Floyd. And so across our program areas, we've been thinking of ways to center diversity,
equity, inclusion, and justice in our grantmaking. And in that stream, the Cyber Initiative has also been thinking about how we can
help diversify the cyber policy field, a field that we've been building and nurturing for almost
10 years. And to give a little bit of context, our approach to funding the cyber policy field is through three core pillars.
So number one, we seek to build a set of core institutions, whether it's think tanks or academic programs at universities or other nonprofits.
And then we also focus on the talent pipeline. So we fund
degree programs at universities and fellowships at think tanks to have a steady pipeline of experts
coming into the tech policy field. And then our last pillar is more related to translation
infrastructure, working with journalists and the media to help
socialize and also make the concepts of cybersecurity and cyber policy more accessible
and approachable to the general public. So with the shift of the Hewlett Foundation to focus more on diversity, equity, and inclusion,
the cyber initiative has also looked into different ways that we can help diversify
the cyber policy field. And we had an evaluation of our cyber talent pipeline strategy in 2021. And one really big finding that
came out of it is that, hey, we've been doing a really good job building the talent pipeline,
but predominantly for predominantly white institutions. And there is still a very big gap in representation
from other more diverse communities in the U.S. And so one of the recommendations that came out
of that was to look more at other minority-serving institutions, including historically Black colleges and universities,
Hispanic-serving institutions, and tribal colleges. I mean, the evaluation really focused on HBCUs,
but as we started thinking about what we want to focus on in the last two years of the cyber
initiative, we really wanted to broaden our view to not only focus on historically Black
colleges, but also include other communities that have been marginalized and historically
underrepresented. And so for our round of grantmaking, we decided in the end to fund two HBCUs, one Hispanic-serving institution,
and one tribal college. And they are Florida A&M University and Spelman College. These are our two
HBCUs. Florida International University, this is our Hispanic-serving institution,
National University. This is our Hispanic-serving institution. And Turtle Mountain Community College, that is based two and a half hours outside of Minot, North Dakota. And that is
our tribal college. And what types of grants are we talking about here? What are the specific
things that this money will fund at these universities? So we're looking at general operating support grants.
For those who aren't as familiar with philanthropy, a lot of funders, they give project
grants, which are often tied to a specific project that they are interested in or a specific
issue area that they're interested in. From the Hewlett end, we are working to give
more general operating support grants that basically gives our grantee partners a lump sum
and they can decide what they want to do with it as long as it's for a charitable purpose. Through general operating support grants, our grantee partners,
they can build, whether it's a new degree program at their university or a brand new
cyber policy center, they can decide to use those funds to hire more faculty, to give scholarships or fellowships to their students.
Basically, anything they want to do that will help build a talent pipeline of students
through an interdisciplinary program is what we're looking for.
And how do you measure success?
What sort of feedback do you get from these institutions to report back on what they're doing?
That's a really good question. I would say the measure of success, number one,
is whether they have been able to create a formalized program. So some of these institutions, they currently already have existing cyber policy programs and our funds will just help them grow it and expand it even more.
Other institutions, they currently do not have a cyber policy focused program, so they're going to build it from scratch. So I would say the first measure of success would be, is there a formal program in a couple of years? Number two experts and partners in the field is that
oftentimes for minority-serving institutions or non-predominantly white institutions,
there is a shortage of capacity, especially at the mid-level faculty level. And so the second measure of success would be whether these institutions
have been able to use our funds to build more institutional capacity so that their faculty
aren't overstretched. They have time and space to really focus on working with their students and
working on the research areas that they care about and
see as important for the field. Number three, I would say the last measure of success is
more long-term and whether these programs are able to continue. So oftentimes we see initiatives where a funder comes in and once the funding period is
over, the institution itself isn't able to attract more long-term sustainable funding. And then that
program just peters out. And that is the last thing we want to see, so from the start, we've been working with our grantee partners
on how to think about what happens after the end of the Hewlett funding period. So do they have
strategies and plans in place to cultivate independent revenue streams that would allow them to sustain this program beyond Hewlett support.
And I think this conversation, we have already launched it, and it's an ongoing conversation
because we really want to see these efforts sustain. And just one thing I forgot to mention is that our ultimate goal is to see these first
four grantees as anchor grantees, and hopefully they will inspire more minority-serving institutions
or other institutions that have a large body of historically diverse communities as their students to start thinking about, hey,
whether cyber policy and tech policy is a program area that I want to start offering at my school.
Do I want to start focusing on this at the institution level as well. So we really hope that they are the initial start, but that their impact
and their work can inspire more work across the country and also globally.
That's Sherry Huang from the Hewlett Foundation. And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to welcome you back.
You and your colleagues have been tracking some YouTube live streams that have been advertising cryptocurrency,
but there's more than meets the eye here, yes? Yeah, it's sort of interesting in a couple ways.
Now, first of all, the scam itself, I think, is fairly obvious, has often been done. You do see a YouTube video, usually claiming to
be a live stream and usually involving some personality that you may be interested in.
Like one I've seen just yesterday was Elon Musk talking about the latest SpaceX update.
So that's how the video was advertised. When you click on it, you don't see a live stream.
You see a recording of Elon Musk, which itself wouldn't necessarily be that malicious.
But then fairly early in the video, there's a little overlay that's being displayed.
It shows a tweet by Elon Musk.
At least it claims to be a tweet by Elon Musk.
And the QR code telling you, hey, if you scan this QR code, I'm giving away cryptocurrencies today.
Because after all, I became the richest man in the world
because I like to give money away.
That's how it usually works.
I remember when Bill Gates was the one who was giving away all of his money.
I guess he's poor now and he gave all of his money away no longer.
But it must be sort of, of course, cryptocurrency,
always a personality that's being used here. And the site itself then offers a fairly straightforward scam.
You're sending Bitcoin or a couple different currencies they usually use to this account.
And hey, magically, you'll get twice of what you send back. The sad part is the Bitcoin address, at least that I looked at yesterday,
it already had received like $25,000 worth of Bitcoin.
So people apparently are falling for it.
So this game is pretty old.
What got me interested into it is
the YouTube channels they're using
are not newly created scam channels.
You would think that they just set up a new channel
and post their little videos.
But there's a problem with that.
Imagine you play with YouTube a little bit as well.
You need actually subscribers to your channel
for people to actually watch it.
Some of these channels were created back in 2008 and such.
They had 2 million subscribers, so they weren't small channels.
But apparently what happened here was that the channel itself was active at a time.
Well, creative fatigue set in or whatever.
It sort of was no longer maintained.
And then someone took it over.
It sort of was no longer maintained.
And then someone took it over.
In some cases, I was able to actually track it down where credentials were stolen.
So someone phished these creators and then got credentials for the YouTube account and just outright stole it.
There have actually been a couple of cases where channels were sold for a little bit of money.
And they are now being used for these scams.
So just because a channel is popular, has a lot of subscribers,
doesn't necessarily mean that it's a reputable channel in that sense.
I suppose there's a lesson here, too, that perhaps it's in your best interest if you're a regular viewer on YouTube to go through the channels you subscribe to.
And if something hasn't updated in a while or certainly in a couple of years, unsubscribe.
Get it out of that feed.
Don't help feed those algorithms.
That's probably a good idea.
And then in case that channel does ever get taken over uh you can now you're no longer
exposed that as much as you were before now the ads i've seen i don't think any of these channels
i subscribe to but it was also like the channel for example with the supposed spacex video well
it was a space related channel so i'm a little bit a geek, I guess.
So I watch a lot of those type of videos,
which probably is why the algorithm fed it to me.
Right, right.
And the scam itself, I mean, it's fascinating
because it's a legit video of someone like Elon Musk
doing a legit presentation.
So they're using the fact that that part is legit
to overlay the scam using the
reputation and the legitimacy of the original presentation. Correct. And that probably also
helps with algorithms. Again, if you have a personality like this that people are interested
in, so that may bring that again at the forefront of more viewers. Google itself does a little bit filtering here.
There is a lot of talk also in the creative community
about whether or not you're allowed to use swear words
in the first 10 seconds of the video,
because that's apparently what of what YouTube is reviewing
when they're sort of seeing some videos
that are all of a sudden very popular and such.
Then again, if you just wait till those 10 seconds,
and of course there's lots of experiments
such that people are doing,
the legitimate creators are doing,
in order to figure out how to best use
these monetization algorithms in YouTube.
So you don't necessarily have to figure out yourself, but you have to place this fake
ad in order to sneak past some of the reviewing they may be doing.
Yeah.
All right.
Well, something to keep an eye out for.
Johannes Ulrich, thanks for joining us. Thank you. the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out
this weekend's Research Saturday,
my conversation with Bridget O'Gorman
from Symantec.
We're talking about LanceFly,
a group uses custom backdoors
to target orgs in government,
aviation, and other sectors.
That's Research Saturday.
Check it out.
We'd love to know
what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand. Our executive editor is Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.