CyberWire Daily - In today’s symposium, we talk about a new strand of Chae$ malware, some developments in social engineering, privateers in a hybrid war, cyber ops as combat support, and some default passwords.

Episode Date: September 5, 2023

A New variant of Chae$ malware is described. A "Smishing Triad" impersonates postal services. A MinIO storage exploit reported. Okta warns of attackers seeking senior admin privileges. LockBit comprom...ises a UK security contractor. DDoS takes down a German financial regulator's site. Infamous Chisel as GRU combat support. Joe Carrigan on Meta uncovering a Chinese influence effort. Our guest is Connie Stack, CEO of Next DLP, discussing data breach notification procedure. And please -PLEASE- remember to change your default passwords. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/169 Selected reading. Threat Profile: Chae$ 4 Malware (Morphisec) "Smishing Triad" Targeted USPS and US Citizens for Data Theft (Resecurity)  'Smishing Triad' Targeted USPS and US Citizens for Data Theft (Security Affairs)  New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services (Security Joes) Hackers exploit MinIO storage system to breach corporate networks (BleepingComputer)  Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges (The Hacker News)  More Okta customers trapped in Scattered Spider's web (Register)  Cross-Tenant Impersonation: Prevention and Detection (Okta Security) Breaking: UK MoD attacked by LockBit (Computing) German financial agency site disrupted by DDoS attack since Friday (BleepingComputer)  LogicMonitor customers hacked in reported ransomware attacks (BleepingComputer) LogicMonitor customers hit by hackers, because of default passwords (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. A new variant of chase malware is described. A smishing triad impersonates postal services. A mini-IO storage exploit's been reported. Okta warns of attackers seeking senior admin privileges.
Starting point is 00:02:14 LockBit compromises a UK security contractor. DDoS takes down a German financial regulator's site. Infamous chisel is a GRU combat support. Joe Kerrigan on meta uncovering a Chinese influence effort. Our guest is Connie Stack, CEO of Next DLP, discussing data breach notification procedures. And please, please remember to change your default passwords. I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, September 5th, 2023. Thank you. Among the affected targets are MercadoLibre, MercadoPago, WhatsApp Web, Itaubank, and Metamask, as well as content management systems including WordPress, Joomla, Drupal, and Magento. The identity of the threat actors behind the malware is murky, but they've come to be known as Lucifer.
Starting point is 00:03:41 come to be known as Lucifer. The original Chase version was first described in November 2020 by Cyber Reason, which founded active against e-commerce customers in Latin America, especially Brazil. The current variant, like its predecessors, is a criminal tool used to steal information, especially credentials, that can be subsequently exploited for online theft. Chase 4 has been completely rewritten in Python and is more difficult to detect than earlier variants. It also features a modular design that lends it greater adaptability.
Starting point is 00:04:16 Infection begins when the victim is induced to execute a malicious installer that usually masquerades as a Java JDE installer or antivirus software installer. The operators of Chase 4 show a particular interest in cryptocurrencies. ReSecurity has warned that a China-based cyber criminal group is running a smishing campaign targeting U.S. citizens by impersonating postal services. The threat actors are operating a package-tracking text scam sent via iMessage to collect personally identifiable information and payment credentials from victims in the furtherance of identity theft and credit card fraud. The smishing messages
Starting point is 00:04:58 direct victims to a convincing clone of the U.S. Postal Service's website, telling them they need to enter their credit card information in order to pay a small shipping fee as low as 30 cents. The threat actor has targeted users in numerous countries in the past by impersonating the U.K.'s Royal Mail, the New Zealand Postal Service, among others. Researchers at Security Joes have found that a threat actor was exploiting two vulnerabilities in the distributed object storage system MinIO to steal data and execute arbitrary code. The vulnerabilities have been fixed, but the attackers used social engineering to trick a MinIO developer into reverting the service to an earlier vulnerable version. They then used the flaws to gain access to the MinIO administrative console,
Starting point is 00:05:50 which allowed them to push a malicious update containing exploit code. The researchers say, the executed commands inherit the system permissions of the user who initiated the application. In this instance, due to inadequate security practices, the DevOps engineer launching the application held root-level permissions. Okta has warned of an ongoing social engineering campaign that's targeting IT employees to gain access to super-administrator permissions. This access enables the attackers to abuse legitimate identity
Starting point is 00:06:25 federation features that enable them to impersonate users within the compromised organization. Okta says, in recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multi-factor authentication factors enrolled by highly privileged users. The privateering LockBit ransomware gang has released documents taken in a cyber attack against Zon, a contractor to the UK's Ministry of Defence that specialises in perimeter physical security, fences, alarms and allied systems. According to Computing, the attack took place over the 4th and 5th of August via a rogue Windows 7 PC running software for a manufacturing machine. Zahn says it was able to limit the effects of the attack, preventing, for example, the encryption of its servers, but some data was lost. The Daily Mirror reports that Zahn serves, among other sites,
Starting point is 00:07:32 HMNB Clyde Trident submarine base, the Porton Down Chemical Weapons Research Laboratory, one GCHQ facility, various prisons, and a military cybersecurity installation. LockBit has now dumped stolen data on a dark web site. On September 1st, Zahn disclosed, LockBit will have potentially gained access to some historic emails, orders, drawings, and project files. We do not believe that any classified documents were stored on the system or have been compromised. We are in contact with relevant agencies and will keep these updated as more information becomes available. This is an ongoing investigation and, as such, subject to further updates. On Friday, a DDoS incident rendered the site of BaFin, Germany's Federal Financial Supervisory
Starting point is 00:08:23 Authority, inaccessible. The authority tweeted that the public website was the only aspect of its operation affected and that the regulator's other activities continued uninterrupted. Access to the website seems this morning to have been restored, security affairs reports. The attack hasn't so far been attributed to any threat actor, but Bleeping Computer cites reasonable and informed speculation that points toward a Russian hacktivist auxiliary whose objective was to punish Germany for its support of Ukraine. The UK's Ministry of Defence on Monday reviewed the recently exposed infamous Chisel campaign against Ukrainian military targets.
Starting point is 00:09:06 The MOD sees the deployment of the Android malware as a significant instance of cyber operations used as combat support. It's also worth repeating that Infamous Chisel is Android malware, and its development and deployment shows the increasing convergence of commercial communications tools with military systems. The personal may not always be the political, as the old Marxist saw had it, but nowadays the personal seems to have become the tactical, at least where communications and intelligence collection are concerned. And finally, have you changed all your default passwords to something better? You really should, you know.
Starting point is 00:09:48 Cloud infrastructure monitoring company LogicMonitor has disclosed that several of its customers were hit by cyber attacks. TechCrunch cites an anonymous source as saying the attacks were caused by weak default passwords LogicMonitor assigned to its customers. The source stated, When you set up an account with LogicMonitor, they define a default password and all user accounts for your organization and account are made with that password. They also didn't require the changes,
Starting point is 00:10:18 nor were they temporary passwords until this week. Now the setup password lasts 30 days and must be changed on first login. LogicMonitor hasn't disclosed the nature of the attacks, but anonymous sources close to the incidents told Bleeping Computer that the attackers were able to create local accounts and deploy ransomware. In fairness to LogicMonitor, all default passwords represent an inherent, if perhaps inevitable, weakness. So do change them, and if you're a vendor, be sure to nudge your users in that direction. Coming up after the break, Joe Kerrigan explains how Meta uncovered a Chinese influence effort. Our guest is Connie Stack, CEO of NextDLP, discussing data breach notification procedures.
Starting point is 00:11:14 Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
Starting point is 00:12:01 workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk.
Starting point is 00:12:58 In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Where does your organization stand when it comes to data breach notification procedures? Do you have a runbook, a framework, outside counsel on retainer, perhaps a PR company on speed dial? Connie Stack is CEO of data protection firm NextDLP, and I spoke with her about navigating the complexities of data breach notification requirements. A lot of people, frankly, they're not necessarily 100% certain when notification is required because there are very, you know, there are specific regulations within states. There are specific regulations within particular industries. But essentially, when and if you experience a data breach,
Starting point is 00:14:06 and many companies have, in many instances, there is a requirement to notify those that will be impacted by that breach. And even the definition of impacted is, you know, different state by state and regulation by regulation. But essentially, I think a good rule of thumb is that if sensitive information is lost, information like PII or personally identifiable information, information governed by HIPAA or the Health Information Portability and Protection Act, those are the kinds of data that if you have a breach at your organization and you believe sensitive information in either one of those categories or potentially even intellectual property is lost, there should be notification
Starting point is 00:14:50 required in those instances. So good rule of thumb, you lose PII, you lose PHI, you lose PCI credit information, you can assume notification is required. And an organization who is developing breach response policies should clearly understand what requirements there are for notification in the states and in the vertical categories in which they exist. It strikes me that, of course, this is one of those things that you want to do all of your planning ahead of time, not when you're in the heat of the moment having experienced a data breach. Do you have any words of wisdom here for people's order of operations? Having a runbook, rehearsing your actions, those sorts of things, tabletop exercises. Do all of those sorts of things come into play here? exercises. So do all of those sorts of things come into play here? Absolutely, Dave. I love,
Starting point is 00:15:50 actually, NIST has published a series of standards, best practices, and recommendations, and I don't think they refer to them as the three Ps of a breach response, but I do. And the three Ps that they recommend are policy, plan, and procedure. So when it comes to policy, I mean, that is stage one. As you said, before a breach event even occurs, you should have a policy in place that governs how your organization will, you know, respond to a potential, you know, data breach or loss of sensitive information. And that policy should clearly define, you know, the scope, you know, who is it going to apply to, under what circumstances will this policy be enacted, and so on. But essentially, the first P of breach response is policy, and you should have one. The second one,
Starting point is 00:16:30 which really falls out of that policy, is your plan for breach response, right? I mean, this is your high-level strategy for implementing, you know, that data breach policy. So the plan really should identify all the organization resources that you're going to tap into, any required management support. If you require any, you know, tailored kinds of communications, you might want to enlist the help of a PR firm and make that a part of your plan and so on. And then out of that plan is a set of procedures that you should be able to follow. You know, it should be, again, well-defined. You should have, you know, the ability to follow those clearly because, again, you have predefined those as a part of your overall data breach, you know, policy. And typically when it comes to these procedures, you know,
Starting point is 00:17:16 the first thing any organization who suspects a data breach or has confirmed a data breach, they absolutely want to contain the impact of that breach, right? They've got to work hard. If they were breached because of a, you know, a vulnerability in software that they use, then you've got to patch that vulnerability, right? You need to make sure you're containing the impact of the, you know, the attack or the breach that you've suffered. And then you really need to assess and quantify, right, what was the extent
Starting point is 00:17:46 of this breach, right? Because those, the extent of the breach will determine whether or not indeed it is disclosable and whether you need to notify those people who may have been impacted. And those people could be, you know, like I said, your customers in some cases, your employees in other cases, and so on. So that assessment is a really important part of your procedure as well. And then the notification comes in and here's where, you know, you want to be crystal clear with your notification procedures. You want to understand who has to be notified within what deadlines and timelines they need to be notified, what methodologies or approaches you can take to notify them. And they can range from They can range from email to social media posts to special pages on your website and so on and so forth.
Starting point is 00:18:30 And then ultimately, review and refine. You want to make sure that the response to your breach was sufficient, that you minimize the damage to your business, and that you've put corrective measures in place and put improvements in place to your breach policy and notification policies that you may have acted against in this particular breach, that they need refinement moving forward, that should be a part of it as well. step that often gets, you know, I think everybody just takes a deep breath and go, you know, whoa, we survived, but you really should make it a constant, you know, improvement cycle, you know, where possible, because you will learn things with every potential breach and containment exercise and notification exercise that you would then apply, you know, should you suffer a breach again in the future.
Starting point is 00:19:23 We don't want that to happen, of course, but sometimes, you know, should you suffer a breach again in the future. We don't want that to happen, of course, but sometimes, you know, it does, frankly, you know, there's certainly everybody, you know, practitioners of security know it's very difficult to plug all the holes and the bad guys just need to find that one, right? So it can happen more than once and you want to be prepared and handle, you know handle the breach as professionally and efficiently and effectively as possible to minimize the damage to your business, your customers, that's really a top priority. Who within an organization should have ownership of this?
Starting point is 00:20:02 You know, it really, it should be security, should be your quarterback. I think it is atypical for an organization to have somebody outside of security quarterbacking these kinds of efforts. But it does not mean you don't enlist the support of others outside of the security team, because you may need people from within the business organization or in a line of business to help you truly understand the sensitivity levels around data that might have been lost or exposed in any kind of breach. So you're going to put together a cross-functional team that the cybersecurity experts and your security team, CISOs often quarterback these, like I said, these response efforts. But again, there is even within your organization, notifications are required to senior management,
Starting point is 00:20:54 potentially to boards. If you're a publicly traded company, board notification is going to be important as well. So it usually is security that quarterbacks, but again, many members of your team across functional areas of the business should be supporting breach response and notification effort as well. That's Connie Stack. She's CEO at data protection firm Next DLP. Joining me once again is Joe Kerrigan. He is from the Johns Hopkins University Information Security Institute
Starting point is 00:21:38 and also my co-host over on the Hacking Humans podcast. Hello, Joe. Hi, Dave. Interesting article. This is written by Sarah E. Needleman for the Wall Street Journal, and it's titled, Meta Uncovers Largest Ever Chinese Influence Network.
Starting point is 00:21:52 What's going on here, Joe? Well, Meta has come out and said that they've found 7,700 accounts. They've taken down a bunch of accounts across more than 50 apps, including 7,700 apps or accounts on its own Facebook and Instagram. They also found accounts on YouTube, TikTok, Reddit, Pinterest, X, formerly Twitter, and other smaller platforms as well.
Starting point is 00:22:16 The operation, here we go, Dave, the operation is known in the security community as spamouflage. Nice. And it dates back to 2019. And it's linked with people in the Chinese government or Chinese law enforcement. Okay. Now, China denies their involvement here. Right.
Starting point is 00:22:35 But that's standard for a lot of governments. I'm sure that if China accused us of the American government of doing something, we'd say, no, no, no, that's not us. But this is tradecraft, really, as far as I'm concerned. But this is the largest takedown that Meta has ever orchestrated, 7,700 accounts on their systems. It's interesting that, first of all, 7,700 doesn't sound like a huge number to me relative to the size of Meta's platforms.
Starting point is 00:23:07 And also, you know, if you think of just populations of both the U.S. and China, there's 7,700. Big, but not huge. Right. It's interesting to me, too, that Meta says that their view of this is that these really didn't get a whole lot of traction. They didn't get a whole lot of traction. They didn't get a whole lot of traction. And maybe it's because of the small size of the network, but I don't think that's really why. I think it's probably because they were doing this. Yeah, it was called by Ben Nemo, who's a global threat intelligence lead at Meta, said they're throwing spaghetti at the wall to see what sticks.
Starting point is 00:23:42 So they're just going with quantity over quality. So that's why it's probably not the most effective. There was a bunch of criticism in these social network sites about election interference and allowing election interference in the 2016 election. And of course, everybody thinks they cleaned up the rack, right? But I don't think that's what's going on. This is why I say, don't get your news from social media, right? Just don't do it. Don't look at that. Don't let something on social media you see irritate you. It's probably not true. You owe it to yourself to take the time to find out and through sources that you've vetted to go and look at whatever it is that's being said to see if it's true. Now, these were all pro-Chinese messages and messages meant to disparage the U.S.
Starting point is 00:24:37 Right. Right. In this campaign. There's also mention of a Russian campaign, which was a social media campaign meant to decrease the population's desire for support for Ukraine. So, I mean, this is how, again, I say this is tradecraft for these folks. This is what they're doing. They're trying to change how people think about this. So maybe they reprioritize when it comes time for them to vote in their elections. Well, I suppose in a country as divided as ours is right now,
Starting point is 00:25:09 if you're able to move that needle even just a little bit, that could make a difference. Yeah. Yeah, that's right. And sadly, I'll say this about people in America. It's like shooting fish in a barrel on social media. These social media apps are designed to keep you engaged. They're designed to keep your eyes on the page. That's what they are intended to do. And the algorithm behind the app and what gets put on your page does not care if you're a Democrat, a Republican, a Libertarian, a Green Party member. It knows that you are. It also knows how you feel about the message.
Starting point is 00:25:53 Do you want to see something that, are you the kind of person that likes to see stuff you agree with? Are you the kind of person that likes to see stuff you disagree with? Are you the kind of person that engages angrily with other people? It doesn't make any distinction about your feelings on the subject. All it cares about, the only metric it's using is how much time you spend on the platform. Yeah. So that's why people are remarkably susceptible to these things. Not particularly to this campaign because this campaign wasn't that well run.
Starting point is 00:26:22 But a better run campaign can be much more effective. Yeah. Well, and certainly as we're in the run-up to the next round of national elections here, this is the kind of thing- This is going to be a fun cycle, Dave. We're going to see a lot more of this. Yeah. Yeah.
Starting point is 00:26:33 All right, again, an article from the Wall Street Journal written by Sarah Needleman. Joe Kerrigan, thanks for joining us. It's my pleasure, Dave. Pushpit. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Starting point is 00:27:46 Visit ThreatLocker.com today to see how a default-deny approach can Advantage banking account and we'll give another $100 to a charity of your choice. This great perk and more, only at RBC. Visit rbc.com slash get 100, give 100. Conditions apply. Ends January 31st, 2025. Complete offer eligibility criteria by March 31st, 2025. Choose one of five eligible charities. Up to $500,000 in total contributions.
Starting point is 00:28:15 And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment with Jason and Brian on their show for a lively discussion of the latest news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com
Starting point is 00:28:38 Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. and many of the world's preeminent intelligence and law enforcement agencies.
Starting point is 00:29:10 N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening.
Starting point is 00:29:32 We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.