CyberWire Daily - Iran's cyber quest in Middle Eastern aerospace.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Iran-linked cyber espionage targets Middle East's aerospace and defense. SpaceX is accused of limiting satellite internet for U.S. troops. Savvy seahorse floods the net with investment scams. GU loader malware draws on a crafty graphic attack vector.

Starting point is 00:02:18 Repo confusion attacks persist. European consumer groups question Meta's data collection options. Allegations of Russia targeting civilian critical infrastructure in Ukraine. European consumer groups question Meta's data collection options. Allegations of Russia targeting civilian critical infrastructure in Ukraine. Cisco patches high security flaws. The U.S. puts a Canadian cyber firm on its entity list. On our Threat Vector segment, we have a conversation between host David Moulton and Michael Sikorsky, Unit 42's CTO and VP of Engineering. They're discussing Unit 42's

Starting point is 00:02:46 2024 incident response report and the counterproductive messaging in anti-piracy campaigns. It's Thursday, February 29th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Music Happy Leap Day, everyone. It is great to have you here with us. Security researchers have identified an ongoing cyber espionage campaign targeting the aerospace, aviation, and defense industries in the Middle East with indications of links to Iran. This operation, conducted by a group Mandiant Tracks as UNC-1549 and associated with the Iranian-linked Tortoise Shell,

Starting point is 00:03:50 is focused on Israel, the UAE, and possibly extending to Turkey, India, and Albania. The campaign, initiated around June 2022, employs unique malware to infiltrate entities, leveraging evasion techniques and Microsoft Azure Cloud infrastructure for concealment. Two specific backdoors, Minibike and Minibus, facilitate file exfiltration, command execution, and enhanced reconnaissance. Minibike was detected between June of 2022 and October of 2023, while Minibus appeared from August 2023 to January. Additionally, a custom tunneler called Light Rail

Starting point is 00:04:33 was utilized to obscure malicious internet traffic. The potential involvement of Iran's Islamic Revolutionary Guard Corps, particularly noted for its support of Hamas as well as recent sanctions by the U.S. for cyberattacks, underscores the geopolitical implications of this cyberespionage effort against defense-related targets amidst regional tensions. SpaceX has a contract with the U.S. government to provide satellite internet services for U.S. troops overseas. As my N2K

Starting point is 00:05:06 colleague Alice Carruth reports for the T-Minus podcast, some believe they're coming up short. SpaceX is in hot water with the U.S. federal government over allegedly withholding service of its military-focused Starshield system for U.S. troops in and around Taiwan. Starshield is a program that SpaceX launched in December 2022 to provide secure satellite internet access to the military and government agencies. U.S. Representative Mike Gallagher sent a letter to SpaceX CEO Elon Musk to say he's learned from multiple sources that Starshield is inactive in and around Taiwan, despite a contract with the Pentagon to serve U.S. troops in the region. SpaceX and Musk have not publicly responded to the letter from Gallagher. That's Alice Carruth from the N2K T-minus Daily Space Intelligence podcast.

Starting point is 00:06:01 Do check that show out if you have not already done so. It is well worth your time. Space Intelligence podcast. Do check that show out if you have not already done so. It is well worth your time. Researchers at Infoblox describe a threat actor named Savvy Seahorse that orchestrates sophisticated investment scams, leading to over $4.6 billion in losses in the U.S. in 2023, according to the Federal Trade Commission. Using Facebook ads, savvy seahorse entices victims into fake investment platforms, spoofing major companies, and employs advanced tactics like fake chat GPT and WhatsApp bots for personal information phishing. Targeting a wide array of language speakers but excluding Ukrainians, the actor ingeniously uses DNS CNAME records to distribute traffic and evade detection, managing a vast network of scam

Starting point is 00:06:52 campaigns since August 2021. This technique, the first of its kind reported, showcases savvy seahorses' ability to dynamically control campaign visibility and IP addresses, complicating security efforts to track and mitigate their operations. A report from McAfee highlights a notable GU loader campaign that leverages malicious SVG email attachments. Utilizing polymorphic code and encryption, it dynamically changes its structure to evade antivirus and intrusion detection, enabling persistent network infiltration. This latest campaign triggers a complex infection chain involving zip files, WSF scripts, and PowerShell commands to connect with malicious domains and execute shellcode. This process, culminating in the

Starting point is 00:07:45 injection of shellcode into legitimate processes for persistence and further malware deployment, exemplifies GU Loader's versatility in delivering various malware types, underscoring its significant threat to both organizations and individuals. A significant resurgence of repo confusion attacks has been identified by security firm Apiro, affecting over 100,000 GitHub repositories by tricking developers into using malicious versions of repositories that mimic trusted ones. These attacks, which rely on human error rather than exploiting package managers, rely on human error rather than exploiting package managers, involve cloning existing repositories, embedding them with malware, and then massively forking and promoting them online.

Starting point is 00:08:33 Once a developer uses these malicious repositories, the malware executes a series of obfuscations to deploy a payload that collects sensitive information, sending it to a command and control server. Despite GitHub's efforts to remove these forked repositories, the automated nature of the campaign allows thousands of malicious repos to persist, exploiting the vastness of GitHub and the difficulty in detecting such a small fraction of malicious content. Apiro has highlighted the necessity of advanced malicious code detection systems, underscoring the ongoing vulnerability of the software supply chain to such sophisticated

Starting point is 00:09:12 attacks. European consumer groups are leveraging data protection laws to challenge Meta's recent EU service changes. Consumer groups say Meta is offering users a fake choice between consenting to data collection or paying for ad-free subscriptions. This action, coordinated by the European Consumer Organization and based on GDPR violations, argues that Meta's model infringes on principles like purpose limitation, data minimization, and transparency. The complaints suggest Meta's consent-based data processing for advertising lacks a valid legal basis under GDPR. Meta, of course, disputes these allegations and insists its approach aligns with GDPR,

Starting point is 00:10:02 referencing European Court of Justice support for its subscription model. This legal confrontation follows Meta's history of EU regulatory challenges, including a record €1.2 billion GDPR fine. Despite these issues, Meta continues to thrive financially, emphasizing its advertising-driven revenue model in its financial disclosures. Wired describes a report from the Conflict Observatory, an organization backed by the U.S. government, that reveals over 200 instances of damage to Ukraine's power infrastructure by Russia, costing over $8 billion. The study, using satellite imagery and open-source data,

Starting point is 00:10:47 confirms Russia's strategy of targeting civilian utilities to pressure Ukraine, marking potential war crimes. Despite challenges in documenting and verifying specific instances due to Ukrainian government restrictions on public information, the report highlights widespread attacks across 17 of Ukraine's 24 oblasts, affecting millions. The findings underscore the deliberate nature of these attacks, raising questions about their justification and military necessity. The documentation aims to support accountability and further investigation into violations of international law, with some Russian officials claiming the targeting of infrastructure as a legitimate military strategy,

Starting point is 00:11:31 a stance that contrasts with international humanitarian principles. Cisco released a security advisory detailing four vulnerabilities in its FXOS and NXOS software, including two high-severity flaws. The first high-severity vulnerability allows a denial-of-service attack due to a rate limiter queue issue, impacting specific Nexus 3600 and 9500 series products. The second involves insufficient error checking when processing MPLS frames, affecting multiple Nexus series with MPLS configuration. Patches for these issues have been released, and Cisco has not reported any exploitation of these vulnerabilities in the wild. The U.S. government has placed Canadian firm Sandvine on its entity list,

Starting point is 00:12:23 placed Canadian firm Sandvine on its entity list, banning trade with the company due to its provision of technology facilitating mass surveillance and censorship in Egypt. Sandvine, known for its deep packet inspection technology, was cited for aiding the Egyptian government in web monitoring and blocking content targeted at political figures and human rights activists. This action extends to Sandvine's operations across Canada, India, Japan, Malaysia, Sweden, and the UAE, preventing organizations from trading with them or supplying goods and technology. Additionally, China's Chengdu-Beijing Electronics was also added to the entity list for its role in supporting China's nuclear weapons program through acquisitions for the University of Electronic Science and Technology, which is also restricted.

Starting point is 00:13:26 Coming up after the break on our threat vector segment, a conversation between host David Moulton and Michael Sikorsky. He's Unit 42's CTO and VP of Engineering. They're discussing Unit 42's 2024 incident response report. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora

Starting point is 00:14:12 have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta

Starting point is 00:14:42 when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.

Starting point is 00:15:35 Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. on today's threat vector segment we have a conversation between host david moulton director of thought leadership at palo alto networks unit 42 and michael sicko sikorsky he's unit 42 cto and vp of engineering they're discussing unit 42's 2024 Incident Response Report. I was inspired the other day to change my banking password to the hi-hat. But the bank rejected it and said no symbols. Oh, that's pretty bad. Welcome to Threat Factor, where Uni42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Uni42 has a global team of threat intelligence experts, incident responders,

Starting point is 00:16:44 and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for UnifortyTwo. This week, I want to share a conversation I've had with Michael Sicko-Sikorsky. Sicko is Uni42's CTO and VP of Engineering and Threat Intelligence. He's an industry expert in reverse engineering and wrote the bestseller, Practical Malware Analysis, and teaches cybersecurity at Columbia University. Sicko was the first guest we had on ThreatVector, and it's great to have him back. In this conversation, we dove into the new 2024 incident response report from Unit 42 and talked about emerging cyber threats and novel tactics that the team has uncovered as we worked matters with clients around the world. Sickle highlights

Starting point is 00:17:42 the importance of managing vulnerabilities and shared his thoughts on best practices to mitigate these risks. We also discussed how leveraging AI, automated responses, and threat intelligence can bolster cybersecurity. You can read the report or download a copy from our website. Here's our conversation. So there were a couple of big themes that emerged from this edition of the report. First, speed matters. No big shock there, but we'll get into it in a second. Software vulnerabilities still matter. And I think that given some of the news that we've seen recently, that's certainly the case. And then lastly, threat actors are becoming far more sophisticated.

Starting point is 00:18:23 Let's start with that first theme about speed. In the incident response report, the speed of data exfiltration seems like it's ramping up. The median time between compromise and exfiltration was two days in 2023, down from nine days in 2021. And nearly half of all breaches in 2023 led to data theft in under 24 hours. When I read that, it shocked me a bit. What's the biggest takeaway for organizations trying to shore up their defenses against these quick strike attacks? Yeah, I think it's really becoming challenging

Starting point is 00:18:56 for organizations that they need to make sense of this really quickly, right? If they're going to get data off your network and exfiltrate it in a day, that's really fast. I remember when I started doing incident response a long time ago, I'd go in and the threat actor had been there for a year and they still hadn't exfiltrated or even figured out where the thing is that they wanted to exfiltrate. So the time before the threat actor got access to the things they wanted just could take a really long time. But now what's happened is people are really starting to centralize their data like never before, right?

Starting point is 00:19:28 Cloud came out, people started unifying in one place. They don't have networks that are kind of messy from the perspective of the data is all over the place. It's more easily accessed across the network to the customers and more scalable. But in doing so, that kind of centralized everything and made it a lot easier for attackers to, once they get access to one thing,

Starting point is 00:19:49 they're able to get out with everything they need. And in a ransomware case, we worked this past year, in less than 14 hours, the attackers gained access to the org, exfiltrated terabytes of data, and then deployed ransomware to 10,000 endpoints, all in 14 hours. I mean, the amount of time you have when you're talking about that is a large customer. You've got to realize what's happening very quickly and realize when you need to pull the siren and start executing and defending yourself.

Starting point is 00:20:19 And I think the fact that there's just so many alerts and people are so buried by the amount of data they're getting from security products, it's really important to start including things like AI and automation and orchestration to make sure that you're able to sift through the noise, figure out what's important so you can respond super quickly to lock things down. I also think it's really important to figure out what are your crown jewels? What are the things the attacker is going to go after, right? it's really important to figure out what are your crown jewels? What are the things the attacker is going to go after, right? Like when I look at ransomware extortion cases that we've worked, a large amount of them, it's all about that data that they're after, right? Because if they can get your data, steal it, and if they encrypt it, you're going to want it back. If you don't have proper backups, let's say you do have proper backups, well, they're going to then threaten you because they took it off the network and they're going to say, we're going to release this data and you're not going to want that to

Starting point is 00:21:11 happen because your customers, your patients, your employees are going to get their information leaked and that's going to be a problem for your business. What are you willing to pay for that? So what you need to do is really hyper-focus around protecting the things that matter most, right? Because at the end of the day, everybody gets hacked. Your day, if it hasn't come yet, it will come. It's a matter of when that day is going to come, and you need to be prepared. Which means you also need to set up a defense on your crown jewels, the things that matter most, which is typically your data. And so how are you protecting that?

Starting point is 00:21:49 How are you monitoring it at a level that is above and beyond anything else you're doing anywhere else? Because that is going to enable you to know when something has gone awry. Sicko, thanks for taking us through your thoughts on the new 2024 incident response report from Unit 42. We have a link to that report in our show notes, or you can visit the Unit 42 site. We'll be back in two weeks with Jacqueline Wodajka for a deep conversation on the SEC's cyber rules. Until then, stay secure, stay vigilant. Goodbye for now. That's David Moulton and Michael Sikosikorsky

Starting point is 00:22:33 from Palo Alto Network's Unit 42. You can check out the Threat Vector podcast right here on the N2K Cyber Wire Network and wherever you get your podcasts. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization

Starting point is 00:23:21 runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Breaking news happens anywhere, anytime. Police have warned the protesters repeatedly, get back. CBC News brings the story to you live. Hundreds of wildfires are burning. Be the first to know what's going on and what that means for you and for Canada. This situation has changed very quickly. Helping make sense of the world when it matters most. Stay in the know. Download the free CBC News app or visit cbcnews.ca.

Starting point is 00:24:12 And finally, our reverse psychology desk tells us about a study from the University of Portsmouth that found that intimidating anti-piracy messages actually increase piracy intentions among men by 18%, while decreasing them in women. Examining the effects of different anti-piracy campaigns, researchers discovered gender-specific responses with threatening legal language or highlighting risks like viruses and identity theft, leading to an increase in piracy behaviors among men but a reduction among women. Educational messages about piracy's harms showed no impact on intentions of either gender. The study suggests anti-piracy strategies need to be tailored to avoid psychological reactants, particularly among men who may react against perceived threats to their freedom.

Starting point is 00:25:09 I don't know. We hate to generalize. But on a certain level, this tracks, I can say for myself, that I've known plenty of men who respond to don't do that with Challenge Accepted. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.

Starting point is 00:25:43 You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine Thank you. agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate

Starting point is 00:27:19 your data workflows, helping you gain insights, receive alerts, and act with ease through guided Thank you.

CyberWire Daily - Iran's cyber quest in Middle Eastern aerospace.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.