CyberWire Daily - Investigating China’s Storm-0558. Monti ransomware is back. Evasive phishing. Realtors’ MLS taken down in ransomware incident. News from Russia’s hybrid war. And in-game scams.
Episode Date: August 15, 2023New targets of Chinese cyberespionage are uncovered. Monti ransomware is back. An evasive phishing campaign exposed. A Realtors' network taken down by cyberattack. A closer look at NoName057(16). Pers...pective on cyberwar - remember Pearl Harbor, but don’t see it everywhere. Ben Yelin on the Consumer Financial Protection Bureau’s plans to regulate surveillance tech. Microsoft’s Ann Johnson and Charlie Bell ponder the future of security. And scammers are targeting kids playing Fortnite and Roblox. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/155 Selected reading. Chinese spies who read State Dept. email also hacked GOP congressman (Washington Post) Binary Ballet: China’s Espionage Tango with Microsoft (SecurityHQ) Microsoft Exchange hack to be investigated by US Cyber Safety Board (Computing) Monti ransomware targets VMware ESXi servers with new Linux locker (BleepingComputer) Evasive Phishing Campaign Steals Cloud Credentials Using Cloudflare R2 and Turnstile (Netskope) Cyberattack on Bay area vendor cripples real estate industry (The Real Deal) Intel insiders go undercover revealing fresh details into NoName hacktivist operations (Cybernews) Why the US Military Wants You To Rethink the Idea of 'Cyber War' (The Messenger) A Huge Scam Targeting Kids With Roblox and Fortnite 'Offers' Has Been Hiding in Plain Sight (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
New targets of Chinese cyber espionage are uncovered.
Monty Ransomware is back.
An evasive phishing campaign's been exposed.
A realtor's network's taken down by cyber attack.
A closer look at no-name 05716.
Perspective on cyber war.
Remember Pearl Harbor, but don't see it everywhere?
Ben Yellen on the Consumer Financial Protection Bureau's plans to regulate surveillance tech.
Microsoft's Ann Johnson and Charlie Bell ponder the future of security.
And scammers are targeting kids playing Fortnite and Roblox.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, August 15th, 2023. The Washington Post reported yesterday on the recent compromise of the Microsoft Cloud,
currently under investigation by the U.S. intelligence community,
as well as by the Cyber Safety Review Board.
At least one member of Congress, Representative Don Bacon, a Republican from Nebraska's 2nd District, a strong supporter of Taiwan who serves on the House Armed Services Committee, said Monday that the FBI had informed him that his email had been compromised in the incident.
The espionage itself is remarkable for its successful attack, however, is remarkable.
As the Post notes,
for cloud email and authentication services.
The risks of the alleged security monoculture will doubtless figure in the Cyber Safety Review Board's inquiry.
Microsoft's own assessment of the incident has concluded
that the threat group Storm 0558
was forging Azure Active Directory tokens
using an acquired Microsoft Account Consumer Signing Key.
Microsoft wrote yesterday,
this was made possible by a validation error in Microsoft code. Storm 0558 is an espionage
operation. Its targets include U.S. and European diplomatic, economic, and legislative governing
bodies and individuals connected to Taiwan and weaker geopolitical interests.
The group's post-compromise activity concentrated on accessing and extracting emails from the
target's accounts. Microsoft has mitigated this particular risk and says no customer action is
required. We note in disclosure that Microsoft is a CyberWire partner. Bleeping Computer reports that the Monty ransomware has resurfaced after a two-month hiatus
and is using a new encryption tool to target VMware ESXi servers at legal and government organizations.
Researchers at Trend Micro state that, unlike the earlier variant,
which is primarily based on the leaked Conti source code,
this new version employs a different encryptor with additional distinct behaviors.
As of this writing, only three security vendors that had the sample tagged it as malicious on
VirusTotal. Netscope has been tracking a 61-fold increase in traffic to phishing pages hosted on the free hosting service CloudFlare R2.
The phishing pages are primarily targeting Microsoft login credentials
with a smaller focus on Adobe, Dropbox, and other cloud apps.
The researchers note that the attacks show both misdirection and discrimination.
Netscope writes,
To evade detection, they are using two noteworthy techniques
to prevent scanners and URL analyzers from detecting the phishing pages.
First, they're using CloudFlare turnstile to protect the pages with a captcha.
This technique prevents scanners and analyzers from visiting the URLs
and observing their contents while allowing victims to easily access the pages.
Second, many of the pages only load the malicious content
if it was passed by another malicious referring site.
This helps ensure that only the intended targets are served the phishing content.
A cyber attack against data hosting provider Rappatoni Corporation
has taken down numerous multiple listing services, the MLS, used by realtors around the country.
Peg King, a Coldwell banker agent in Petaluma, told the North Bay Business Journal,
It's paralyzed the real estate industry. We can't add listings. We can't make price changes.
We have no idea how to show properties unless we try to
figure out who has something listed. The website The Real Deal reports that the incident was a
ransomware attack and the FBI is investigating. Radware researchers offered an unusually close
look at the Russian hacktivist auxiliary NoName055716. They presented their results at Black Hat and also shared them
with CyberNews, which has an extensive account of the study. They gained their insights by
infiltrating the group. CyberNews writes, so in the name of research, the two security experts
created a fake profile, joined the over 11,000 other volunteers following the group's DDoSIA telegram channel
and downloaded detailed instructions on how to participate in the experimental gamification challenge.
They see NoName ascending as its colleagues in Kilnet and Anonymous Sudan decline.
NoName is now, by a considerable measure, more active than other Russian hacktivist auxiliaries.
NoName runs a platform, DDoSia, which, as the name implies, affords a way of crowdsourcing distributed denial-of-service attacks against targets in Ukraine and countries that support Ukraine.
put the tally of attacks in the first half of 2023 at 1,074.
32 different nations were hit in only 176 days.
The motivations of the hacktivists participating in Dodosia are mixed.
They're driven in part by Russian patriotic zeal,
but also in part by the promise of payment.
No Name promises hundreds, sometimes thousands of dollars in altcoin to participants who earn it,
but it's unclear how large the payouts have been.
The payment system isn't well constructed.
The Radware researchers found
that it was relatively easy to manipulate
in ways that pulled in cryptocurrency
a participant wouldn't otherwise be entitled to.
NoName is best known for nuisance-level attacks against vulnerable targets of opportunity,
but Radware sees signs of that changing
as the auxiliary looks to higher-value, higher-payoff targets in critical infrastructure sectors.
The researchers also don't see No Name and other hacktivist auxiliaries standing down
when Russia's war eventually ends.
They'll probably
form an enduring feature of the threat landscape. One of the striking features of Russian cyber war
during its invasion of Ukraine has been its surprising lack of decisive effect. When Russia
wanted to shut down power generation, it used missiles, not malware. Many have wondered why this has been so.
It turns out that cyber war is real, but it's not real in the bolt-from-the-blue way many imagined.
Mikaye Iyeng, U.S. Deputy Assistant Director of Defense for Cyber Policy,
addressed the mismatch between expectation and reality during a presentation at DEF CON. The cyber threat, she argued, is real, just not
decisive in the way popular imagination expected it to be. She doesn't put it this way, but it's
probably better to analogize cyber operations to espionage, reconnaissance, surveillance,
and electronic warfare than to massive kinetic strikes. Policymakers often ask,
Iyang said,
can you just give me a cyber option?
This, however, is tougher than it seems.
It takes time and preparation.
It takes understanding.
It takes engineering.
It takes coding to design a cyber attack,
she said.
It's not what I think a lot of people expect.
And finally,
you like those in-game purchases, don't you?
Well, the in-game money isn't exactly the same thing as real money.
It's less fungible.
Wired reports that thousands of websites belonging to U.S. government agencies,
leading universities, and professional organizations
have been hijacked over the past five years to deliver malware or
malicious apps under the guise of free in-game currency and skins for Fortnite and Roblox.
Many of these scams are targeted at children. According to Techspot, Epic Games stresses that
there is no legitimate way for players to sell, gift, or trade V-Bucks, Fortnite's in-game currency.
Roblox developers also advise users
that it doesn't allow the exchange of its Robux currency
through third-party channels
and that any pages offering them for free are likely scams.
Scams, friends, scams.
And the scammers will be the ones dancing
to Winner Win, chicken dinner.
Coming up after the break, Ben Yellen on the Consumer Financial Protection Bureau's plans to regulate surveillance tech.
Microsoft's Ann Johnson and Charlie Bell ponder the future of security.
Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Microsoft's Anne Johnson is host of the afternoon Cyber Tea podcast right here on the CyberWire Network.
In this excerpt from her show, she speaks with Microsoft colleague Charlie Bell about
the future of security.
Here's their conversation. Today I'm joined by the Executive Vice President of Microsoft Security, Charlie Bell about the future of security. Here's their conversation.
Today, I'm joined by the Executive Vice President of Microsoft Security, Charlie Bell.
Charlie has over four decades of leadership experience in the tech industry,
from developing space shuttle software to leading the creation of Amazon Web Services'
decentralized engineering system, and now working here at Microsoft to make the digital world
secure and safe for everyone on the planet.
Charlie relishes big challenges and believes that bold innovation is possible with deep
curiosity, continuous learning, and an emphasis on rapid problem solving.
So, and you're coming up, as you mentioned, on two years, and obviously you had this really
impactful and meaningful career before Microsoft.
So tell me why Microsoft and why the pivot to security?
Well, like I said, I was looking at when I started thinking about, well, what is the big problem in the world that I want to work on?
And the more I thought about it, it's security is the I call it the mother of all problems,
because almost everything we do in technology can become
a weapon in the hands of someone. And so you think about all the advances that humanity has had,
you know, since fire, and everything that we create in the computer world and the technology
world can be turned around and used as a weapon. And so you can't really make the kind of progress
we all want to make unless we first solve this problem. So it's kind of the mother of all problems. Unless you feel
secure, imagine all the work that we're going to do to change the world of transportation.
We're going to have a lot of autonomous cars, and we're going to have all the rail that's
driven by software, and just all the transportation world is incredibly digital now.
Well, it's a surface area
that makes you very nervous about what attackers might do to work power infrastructure. You know,
we've seen attacks on gas pipelines. You know, one of the things we hate about ransomware is they go
after hospitals. And so when you think about this problem, until you solve this problem, we have to
walk afraid in everything we want to advance because everything we add could end up
being a new source of problems. So for me, this was like the biggest problem of all.
And the other thing that makes it very interesting is you have a bunch of bad actors out there who
are innovating to try to create new problems. And getting ahead of that innovation...
innovating to try to create new problems.
And getting ahead of that innovation... I know you know this.
And as you look to solve that,
I listen in on and participate in a lot of the calls
you have with your leadership team.
And one of the things that always struck me
and that I think is really poignant to security
is this leadership philosophy you have
around rapid problem solving.
Can you tell us a little bit more about that
and explain why you think speed and acceleration
of problem solving is so relevant, particularly in the security space?
Yeah.
Well, a couple of things.
One is, as I said, it's the mother of all problems.
And so if you want to think of it, you've got to be faster than the fastest innovation.
So take the absolute tip of the spear in what's happening, and you've got to move that fast if you want to protect.
And so that's one driver of speed. We're seeing it play out in generative AI right now.
Microsoft's the first mover in this space, but we got to move really, really fast in the security
world just to make sure that the customers can confidently move forward with it. But also,
you got to remember what I said before, the attackers are constantly innovating. Again,
you have humans out there actively innovating all the time. And so the speed that you move, you just got to move faster than
they do. And so speed is everything. The other thing I'll say is the nice thing about speed is
you accumulate it. And so the faster you innovate, the more quickly you get to the next thing and the
more you can build upon what you already did. And it's the way to think of it. It's like the first derivative of the rate that you're traveling.
So the speed of innovation is incredibly important. And recognize that it's a community
thing. There's no genius that's going to figure everything out here. It's going to be a crowdsourced
kind of view of all the ideas that come in and then make sure that you can quickly harness those ideas and get them in the hands of the people who need them.
It's incredibly important.
Let's switch a little and talk innovation, right?
Microsoft has been in the news and internally hyper-focused on AI, which I've long believed is going to be a step change for the cybersecurity industry.
AI, which I've long believed is going to be a step change for the cybersecurity industry.
So what do you think about the overall promise of AI? And what global issues, even outside security, do you think are going to be addressed with AI?
Well, the first thing I'll say is, we talk about the asymmetry of the attacker, the fact
that they come at us from any point. It's like first move in a chess game, they get
to move first.
But we actually have an asymmetry too. The asymmetry on our side is data. We get to see everything. Microsoft, we talk about the 65 trillion signals a day, but we have a tremendous
amount of data. The nice thing about AI is it's all discipline. It doesn't care about a particular
discipline. It thinks across all of it and thinks about it with lightning speed.
It knows it can say, oh, I need to go look at the access logs for X and pull a query and grab it and use that information to provide context for the next action that it's going to take.
And it does all that at machine speed.
And so if there ever is going to be anything that totally changes that asymmetry, it is AI.
Anne Johnson is the host of Microsoft's Afternoon Cyber Tea podcast.
You can find that right here on the N2K Cyber Wire network. And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host on the Caveat podcast.
Ben, welcome back.
Good to be with you again, Dave.
Interesting story.
This comes from the folks over at Reuters,
and it's titled,
U.S. Watchdog to Announce Plans to Regulate Surveillance Industry. What's going on here, Ben?
So we've talked both on this podcast and on Caveat about the problem of data brokers.
So it's very profitable to scrape data from users and sell it. Some of the entities that
are purchasing this data include U.S. government
agencies and local law enforcement agencies, which puts people's First and Fourth Amendment
rights at risk. If the government can go around Fourth Amendment protections and simply purchase
data that might implicate people in the commission of a crime or any illegal activity, then that's kind of a runaround of our constitutional rights.
So with that in mind, the agency in charge of consumer financial protection, the Consumer
Financial Protection Bureau, is planning to announce a plan to regulate companies that
track and sell people's personal data. This is something that's been an interest of the Biden
administration over the past years.
There's been a nexus between this issue and reproductive rights.
After the Dobbs decision, one of the things that President Biden tried to do was get the Federal Trade Commission to protect the data privacy of women seeking reproductive health who are in states where that has been criminalized.
I see.
reproductive health who are in states where that has been criminalized.
I see.
We've also seen lawsuits by the Federal Trade Commission, which is distinct from the Consumer Financial Protection Bureau.
They sued an Idaho company for selling geolocation data, saying that it could be traced to private
places like abortion clinics, religious institutions, etc.
Right.
Basically, what this proposal would do is expand the number of companies
subject to the Fair Credit Reporting Act,
which is a 1970s law regarding consumer privacy.
And the amendments to this act
proposed by the administration
that they're going to try and put into regulation
would cover the use of data derived from payment histories,
personal income, and criminal records. One thing that they're emphasizing here is the disclosure of something called credit
header data. So these are the names, addresses, and social security numbers at the top of the
big three credit bureaus. People oftentimes have to give that information to the credit bureaus
to secure a loan, and they don't want to punish people by submitting that information,
only to have it be sold to data brokers who sell it to somebody
who tries to punish them for something.
I see.
So that's really the focus here.
So I think it's a promising step
for those who are concerned about digital privacy
and this phenomenon of data brokers and the sale of data online.
It's interesting to me that they're going to be using the Fair Credit Reporting Act,
which is a pre-internet law, right?
So rather than coming, I mean, I guess if it's good enough to use and you have it in
your back pocket and it exists and you don't have to, you know, go around the horn with Congress to get something new, then I guess that it's the quickest way to come at something like this.
Yeah, that's exactly what's happening here.
It's going to get – it would be very hard to get a polarized Congress, one where you have each party controlling a single chamber to agree on
a law like this, even though there is bipartisan support for reining in data brokers. But I think
what they're trying to do here is leverage laws that are already on the book. Now, this does lead
to a packed work approach. This only really addresses information collected by the three
major credit bureaus. So it's relatively limited in scope,
even though that's a lot of information.
And basically more than any other industry,
people do give a lot of sensitive information
to these reporting agencies.
But it is still limited in scope.
So that's just one downside of relying on this federal statute.
It becomes kind of a patchwork
where you address problems one agency at a time.
Yeah.
I mean, I wonder if it puts these
surveillance industry companies on notice
that they're going to be getting more scrutiny
from the federal government.
I suppose the cynical take would be that
if they come at them for a limited amount of things,
then the government can kind of
wash their hands and say, well, look, we're doing something. But I guess time will tell if this
actually has any meaningful dent in the methods and degree to which this surveillance economy
operates. Yeah. I mean, I think the way you put it, a surveillance economy
is correct. There's a lot of money to be made in this. So I think the industry would be okay with
limited regulations pertaining to very specific things like credit reporting. But if we started
talking about blanket bans on data brokers, then the industry would freak out rightfully
because it would threaten their ability to make a profit.
All of this data is very valuable.
You do have to balance the effect that it would have on the market
with I think the really real need to protect people's digital privacy
from these data brokers.
Right.
All right, well, we'll keep an eye on it to see as it develops
what it actually does affect.
But interesting development for sure.
Ben Yellen, thanks so much for joining us. Thanks, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Thank you. cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K
and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at
n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.