CyberWire Daily - How one access broker gets its initial access (it’s through novel phishing). Be alert for deepfakes, US authorities say. The Pentagon’s new cyber strategy. And a reminder: yesterday was Patch Tuesday.
Episode Date: September 13, 2023An access broker's phishing facilitates ransomware. 3AM is fallback malware. Cross-site-scripting vulnerabilities are reported in Apache services. US agencies warn organizations to be alert for deepfa...kes. The US Department of Defense publishes its 2023 Cyber Strategy. Ann Johnson from the Afternoon Cyber Tea podcast speaks with with Jenny Radcliffe about the rise in social engineering. Deepen Desai from Zscaler shares a technical analysis of Bandit Stealer. And a quick reminder: yesterday was Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/175 Selected reading. Malware distributor Storm-0324 facilitates ransomware access (Microsoft Security) 3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack (Symantec) Azure HDInsight Riddled With XSS Vulnerabilities via Apache Services (Orca Security) Contextualizing Deepfake Threats to Organizations (US Department of Defense) Bipartisan push to ban deceptive AI-generated ads in US elections (Reuters) DOD Releases 2023 Cyber Strategy Summary (U.S. Department of Defense) New Pentagon cyber strategy: Building new capabilities, expanding allied info-sharing (Breaking Defense) New DOD cyber strategy notes limits of digital deterrence (DefenseScoop) New Pentagon cyber strategy: Building new capabilities, expanding allied info-sharing (Breaking Defense) CISA Releases Three Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) September 2023 Security Updates (Microsoft Security Response Center) Microsoft Releases September 2023 Updates (Cybersecurity and Infrastructure Security Agency CISA) Zero Day Summer: Microsoft Warns of Fresh New Software Exploits (SecurityWeek) Microsoft Patch Tuesday: Two zero-days addressed in September update (Computing) Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Microsoft, Adobe fix zero-days exploited by attackers (CVE-2023-26369, CVE-2023-36761, CVE-2023-36802) (Help Net Security) Adobe fixed actively exploited zero-day in Acrobat and Reader (Security Affairs) Adobe warns of critical Acrobat and Reader zero-day exploited in attacks (BleepingComputer) Apple Releases Security Updates for iOS and macOS (Cybersecurity and Infrastructure Security Agency CISA) SAP Security Patch Day for September 2023 (Onapsis) Google Rushes to Patch Critical Chrome Vulnerability Exploited in the Wild - Update Now (The Hacker News) Critical Google Chrome Zero-Day Bug Exploited in the Wild (Dark Reading) Zero-day affecting Chrome, Firefox and Thunderbird patched (Computer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
In access brokers, phishing facilitates ransomware.
3 a.m. is fallback malware. Cross-sitecliffe about the rise in social engineering.
Deepen Desai from Zscaler shares a technical analysis of Bandit Stealer.
And a quick reminder, yesterday was Patch Tuesday.
I'm Dave Bittner with your Cyber Wire Intel briefing for Wednesday, September 13th, 2023.
A Microsoft report outlines a criminal access broker that sends phishing lures through Microsoft Teams messages. The threat actor, which Microsoft tracks as Storm0324, distributes a variety of malware strains,
but primarily focuses on delivering JSS Loader before handing over access to the Sangria Tempest ransomware actor,
also known as FIN7. Microsoft explains, Storm 0324's email themes typically reference invoices
and payments, mimicking services such as DocuSign, QuickBooks, and others. Users are ultimately
redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload.
Storm 0324 is financially motivated, straightforwardly criminal, but its attack methods show considerable sophistication.
The actor's email chains are highly evasive, making use of traffic distribution systems like BlackTDS and Kitaro, which provide identification and filtering capabilities to tailor user traffic.
This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site. In full disclosure, we note that Microsoft is a CyberWire partner.
The Symantec ThreatHunter team describes a new ransomware family called 3AM. So far,
the ransomware has only been used in a limited fashion, and Symantec's researchers have seen it
used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a target's
network and then switch to 3AM when LockBit was blocked. In this attack, Symantec notes,
the use of 3AM was only partially successful. The attackers only managed to deploy it to three
machines on the organization's network, and it was blocked on two of those three computers. The researchers add, however, that the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future.
So, it seems even the crooks need a fallback sometimes.
Researchers at Orca discovered eight cross-site scripting vulnerabilities
affecting several Apache services on Azure HD Insight.
The vulnerabilities could be exploited to perform unauthorized actions,
varying from data access to session hijacking and delivering malicious payloads.
Orca notes, all XSS vulnerabilities posed significant security risks to data integrity
and user privacy in the vulnerable Apache services, including session hijacking and
delivering malicious payloads, putting any user of the Apache services at risk, including Apache Hadoop, Spark, and Uzi.
Microsoft issued patches for the flaws back on August 8th.
NSA, CISA, and the FBI have issued a cybersecurity information sheet contextualizing deepfake threats to organizations,
intended to lay out the nature of the family of technologies loosely grouped as
deepfake technologies. These include sophisticated video and image manipulation, as well as text
generated by artificial intelligence systems through large language models. The tone of the
warning is prospective rather than immediate, the advisory says. As with many technologies,
synthetic media techniques can be used
for both positive and malicious purposes.
While there are limited indications of significant use of synthetic media techniques
by malicious state-sponsored actors,
the increasing availability and efficiency of synthetic media techniques
available to less capable malicious cyber actors
indicate these types of techniques
will likely increase in frequency and sophistication. Defensive measures remain works in progress,
but the three agencies offer some suggestions for organizations beginning to prepare themselves for
this particular form of disinformation. Deceptive use of AI is also receiving some congressional attention.
Reuters reports that a measure to limit AI's exploitation in political campaigns has been introduced in the U.S. Senate.
The sponsors, Senators Klobuchar, Coons, Hawley, and Collins said,
of materially deceptive AI-generated audio, images, or video relating to federal candidates in political ads
or certain issue ads to influence a federal election or fundraise.
The U.S. Department of Defense has sent its 2023 Cyber Strategy to Congress
and made an unclassified version available to the public.
Assistant Secretary of Defense for Space Policy John Plum said,
This strategy draws on lessons learned from years of conducting cyber operations
and our close observations of how cyber has been used in the Russia-Ukraine war.
It has driven home the need to work closely with our allies, partners, and industry
to make sure we have the right cyber capabilities,
cybersecurity, and cyber resilience to help deter conflict and to fight and win if deterrence fails.
The strategy outlines what it calls four complementary lines of effort. First, defend
the nation. Second, prepare to fight and win the nation's wars. Three, protect the cyber domain with allies and partners.
And fourth, build enduring advantages in cyberspace.
The strategy says, in Russia's war on Ukraine,
Russian military and intelligence units have employed a range of cyber capabilities
to support kinetic operations and defend Russian actions through a global propaganda campaign. Russia has
repeatedly used cyber means in its attempts to disrupt Ukrainian military logistics,
sabotage civilian infrastructure, and erode political will. To be sure, the Russian cyber
campaign has fallen well short of expectations, but that's no accident, the Department of Defense
says. The Russians faced
effective collaborative opposition. The strategy notes, while these efforts have yielded limited
results, this is due largely to the resilience of Ukrainian networks. In a moment of crisis,
Russia is prepared to launch similar cyber attacks against the United States and our allies and
partners. The strategy also notes that deterrence in cyberspace
requires that cyber capabilities be integrated with other capabilities and operations,
that cyber operations deter best when they're integrated as combat support and when they're
accompanied by other measures, presumably including non-military legal and economic action.
including non-military legal and economic action.
The report states,
Experiences have shown that cyber capabilities held in reserve or employed in isolation render little deterrent effect on their own.
Instead, these military capabilities are most effective when used in concert with other instruments of national power,
creating a deterrent greater than the sum of its parts.
So, cyber deterrence isn't like nuclear deterrence, where simply having the capability serves to dissuade the adversary.
Cyber deterrence works when it's integrated with hard kinetic power, soft diplomatic power,
and just right legal and economic power. Just saying, trust me, pal, I got a zero day with your name on it
doesn't cut it, even when you've really got that zero day. And finally, a reminder, yesterday was
September's Patch Tuesday. Microsoft addressed 61 numbered vulnerabilities, SAP issued 18 patches,
and Adobe fixed issues in Acrobat and Reader, Experience Manager, and Connect.
Admins, users, sisters, brothers, cousins, and aunts, review your systems,
and as Sissa would say, apply updates per vendor instructions.
Coming up after the break,
Anne Johnson from the Afternoon Cyber Tea podcast
speaks with Jenny Radcliffe about the rise in social engineering.
Deepen Desai from Zscaler shares a technical analysis of Bandit Stealer.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Anne Johnson is the host of the Afternoon Cyber Tea podcast from Microsoft.
And in this excerpt from a recent episode, she speaks with Jenny Radcliffe about the rise in social engineering.
Today, I'm joined by Jenny Radcliffe, better known in some circles as the people hacker.
Jenny is an ethical social engineer, a people hacker, hired to smash security measures
using psychology,
carnartistry,
subliminal linguistics,
cunning,
and guile.
Jenny has led simulated cyber criminal attacks
on businesses of all types and sizes,
running crews with varied expertise
and experience to help secure client sites
and information for malicious attacks.
She is the go-to expert on the human element of security, scams, and social engineering, expertise and experience to help secure client sites and information for malicious attacks.
She is the go-to expert on the human element of security scams and social engineering,
and is also host of the award-winning podcast, The Human Factor.
Welcome to Afternoon Cyber Tea, Jenny.
Thank you for having me. It's a pleasure to be here.
So, can you start by talking, you know, layperson's terms, right? Someone who's not a security professional, the description of a social engineer, an ethical hacker, and tell us how you found your
way into this interesting career onto the ethical side of hacking and the ethical side of social
engineering. Yeah, I mean, you know, people hacker is still a hacker, right? And I think people always
think of hackers, we use that term interchangeably with criminal a lot of
the time. And that's not always the case. As you say, you know, ethical hackers play a huge part
in defense. And social engineering is really, it's another kind of misnomer for people because
what it does is it tests security systems without using technology, okay?
Or rather kind of aligned with technology.
So I'm all about working on psychology of what people think
and what we can get people to do,
what we can persuade, manipulate people to do.
And that always sounds very negative,
but I always say to people,
think of it kind of like a fire test you
know like a fire drill sort of a cross between that and a kind of really sort of scummy version
of what Ocean's Eleven where not everyone's quite that good looking but and so yes that's what we
do so I'm hired by organizations and high net worth individuals to attempt to break their security through psychology, essentially, through
conversation, through sort of human characteristics. Do you find that the strategies and tactics used
in the physical world are the same as the cyber world? And do cyber social engineers and criminals
have a distinctly unique approach? No, you know, not on my side of it. Like
the tactics are the same, you know, it's still always kind of looking for that human connection,
looking to sort of try and exploit what someone would forget. I mean, we look at that, we look
at the system holistically. Okay. So it's not that you can actually, in many ways,
separate the physical and the cyber when it comes to attack.
I think that's something that the security industry do a lot.
And from a criminal perspective, and again, I'm ethical,
but I wear a criminal hat, we just look at the system holistically.
So for example, I've never been a technical hacker.
I have lots of friends who are brilliant hackers, technically, and they've taught me one or two things.
But I've never looked at it that way.
However, of course, as soon as cyber comes online and systems are relying more and more on technology, we just incorporate that into the mix.
It's the same.
It's still just looking for a weakness.
We've talked a lot about individuals and things to look out for, but do you have any other tips
before we move into our typical close? Anything else for people as an individual, not necessarily
a company that they should be looking out for? Just out of context things, you know, it's like I always say emotion, urgency, call to action,
money. But really the thing is, if something is just be, if you're being asked to do something
that's just not usable, especially if it's emotional, especially if it's about money or
getting around procedure, just be more suspicious. And you know, this is a horrible thing because people say, oh,
but it's awful that we have to be suspicious. You sound paranoid, but you know, it kind of
takes some of the enjoyment out of life. And the truth is we need to be honest with people. Yes,
it does. It does stop us all enjoying life. You know, if scammers and social engineers,
malicious social engineers and criminals
were not present, the world would be a much happier, more harmonious place. But I'm sick
and tired of this industry being so afraid of frightening people that we stop being direct.
Treat them like grown-ups and say, if something feels off, check it before you click. And that does mean, unfortunately,
that we've got to be more suspicious than we'd like.
That is reality. That is the life.
There's a lot of things trying to help, data helps.
There's a technology and people trying to help you.
But the bottom line is we do need to be more suspicious.
That's Anne Johnson from Microsoft speaking with Jenny Radcliffe.
You can hear the entire afternoon Cyber Tea podcast episode on our website, thecyberwire.com. And joining me once again is Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, it's always great to welcome you back.
You and your colleagues recently published some research here looking at Bandit Stealer.
What can you share about this group here?
Yeah, thank you, Dave. So the Zscaler Threat Labs team
as part of our global threat landscape tracking activity
tracks several different malware families and there is
a specific focus on information stealing Trojans
and we do keep an eye out for any new
family strains on the block as well.
So Bandit Stealer actually is something that the team saw emerge in April of 2023.
It's a new information stealer.
It collects sensitive information from victims' machine upon successful attack. And the information includes things like cookies,
saved login data, credit card information from several supported web browsers.
We also saw it look for popular FTP clients
and email clients installed on the endpoints.
And of course, the goal over there is, again,
to exfiltrate information that those applications have access to.
Another functionality we saw over here was Bandit Stealer
will also target cryptocurrency wallet applications.
They're basically looking to steal those cryptocurrency wallets as well.
And how does one find themselves a target of Bandit?
This does show up in the phishing attacks
that you see commonly.
In this case, they're not going after specific groups,
at least not something that we saw in our analysis.
This is where they will target users
who will click on things things resulting in pirated software
or resulting in those fake updates getting downloaded.
Once the payload is on the system,
that's where the whole behavior starts,
where to look for specific browsers.
There's more than a dozen different cryptocurrency wallets
that they will look after,
FTP applications and the likes.
Now, you note in the research here that they're attempting to be fairly stealthy in terms of evading virtual environments and detection?
Yes. So they do have a specific module where the goal over there is to flag security researchers
doing analysis on virtual machines
or even automated sandbox-based analysis
where these payloads will get flagged.
So they do have detections for those environments.
They will also look at whether the parent process,
and I'm kind of going geeky over you right now,
but the process that actually invokes the malware payload
is what it expects it is to be.
And it's not actually running under some sandboxing process.
So again, the goal over here is to stay undetected
and make sure they're able to persist in the victim environment
for as long as possible without being detected by any of these security applications. One additional
thing I'll call out over here is, and this is very, very old school, we actually saw it managing
huge blacklists of IP addresses. And these are IP addresses
belonging to antivirus companies,
security sandboxes,
and things of that nature.
So you guys could look at it in the blog as well.
We've actually called it out.
There's IP addresses that are blacklisted.
There are MAC addresses that are blacklisted.
There are user names that are blacklisted,
which are commonly associated with this sandboxing environment.
And they go down to the level of process names and PC names as well.
Interesting.
Also noteworthy that this is written in the Go programming language.
It seems like that's been a trend lately, yes?
Yeah, Go and then we're also seeing Rust being heavily used by cyber criminals.
All right. Well, Deepan Desai is the Global CISO and Head of Security Research and Operations at Zscaler.
The research we're discussing today is technical analysis of Bandit Stealer.
Deepan, thank you so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer
that turns a feel-good moment
into a feel-great moment.
Students, get $100 when you open a no-monthly-fee RBC Advantage Banking account We'll be right back. criteria by March 31st, 2025. Choose one of five eligible charities up to $500,000 in total contributions. And that's the Cyber Wire. For links to all of today's stories, check out our
daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email
us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 Thank you. We make you smarter about your team while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Urban and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.