CyberWire Daily - Known Exploited Vulnerabilities. Fool’s gold. Hacktivists come in both dissident and loyal varieties. Naming and shaming the shameless.
Episode Date: February 13, 2023CISA adds to its Known Exploited Vulnerabilities Catalog. Cl0p claims responsibility for GoAnywhere exploitation. Victims mine for gold; attackers use pig butchering tactics. Hacktivists disrupt Irani...an television during Revolution Day observances. Killnet claims a DDoS attack against NATO earthquake relief efforts. CyberWire UK Correspondent Carole Theriault asks what can we learn from the recent Roomba privacy snafu? Rick Howard looks at first principles we considered along the way. And can you name and shame the shameless? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/29 Selected reading. CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks (SecurityWeek) Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day (BleepingComputer) Fool’s Gold: dissecting a fake gold market pig-butchering scam (Sophos) Iranian State TV Hacked During President's Speech on Revolution Day (HackRead) Russian hackers disrupt Turkey-Syria earthquake relief (The Telegraph) Hacking marketplace emerges from Killnet partnership, seeks pro-Russia donations (SC Media) Russian Government evaluates the immunity to hackers acting in the interests of Russia (Security Affairs) Russia’s Ransomware Gangs Are Being Named and Shamed (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA adds to its known exploited vulnerabilities catalog.
Flop claims responsibility for go-anywhere exploitation.
Victims mine for gold.
Attackers use pig-butchering tactics.
Activists disrupt Iranian television during Revolution Day observances.
Hillnet claims a DDoS attack against NATO earthquake relief efforts.
CyberWire UK correspondent Carol Terrio asks what we can learn from the recent Roomba privacy snafu.
Rick Howard looks at first principles we considered along the way.
And can you name and shame the shameless?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 13th, 2023. We begin with a quick note that will be of interest to U.S. federal civilian executive agencies. On Friday, CISA added three entries to its known exploited vulnerabilities catalog.
One is a denial of service vulnerability in Intel's Ethernet diagnostics driver for Windows.
The second is a remote command execution vulnerability in TerraMaster OS. And the third
is a remote code execution vulnerability in Fortra Go Anywhere. More on that last one in a moment.
U.S. federal civilian executive agencies have until March 3rd to check their systems,
and as usual, they're advised to apply updates per vendor instructions.
All three of the vulnerabilities are undergoing active exploitation in the wild.
Back to that Fortra vulnerability.
The company disclosed a vulnerability in their GoAnywhere managed file transfer software,
offering indicators
of compromise with a patch following quickly thereafter. Attacks exploiting the vulnerability
are said to be linked to operators of the Klopp ransomware family, who themselves claimed credit
to Bleeping Computer on Friday. The Go Anywhere vulnerability, Bleeping Computer explains,
enables attackers to gain remote code execution on unpatched go-anywhere MFT instances with their administrative console exposed to Internet access.
The release of a proof-of-concept exploit came last Monday, with the company providing emergency updates the following day.
Fortra wrote on their support site Thursday that their managed file
transfer as a service was also affected. The Klopp gang reached out to Bleeping Computer,
claiming responsibility for the attacks and saying that they had stolen the data over the course of
10 days after breaching servers vulnerable to exploits targeting this bug. Lateral movement across victimized systems and implementation of ransomware
were also reported possible, according to this spokesperson,
though the gang's good nature, of course, prevented them from doing either,
stealing only documents from compromised servers.
Klopp's observed activity exploiting a zero-day Excelion FTA vulnerability in 2020 to steal the data of
around 100 companies is reminiscent of this more recent activity that the gang claims affected 130
victims. In any case, users should patch in accordance with Fortra's instructions.
Sophos researchers today released a report detailing a scheme they're calling Fool's Gold,
one of several pig butchering schemes they've tracked earlier under the CryptoROM umbrella.
Pig butchering uses emotional appeals, usually conducted with an extensive preparatory phase,
to lure victims into fraudulent investments.
The indelicate metaphor suggests fattening up the mark before leading them to slaughter.
Researchers report that the scam began with a direct message on Twitter
pretending to come from a woman in Hong Kong.
She, he, or they, of course, is a catfish.
The woman moves the conversation from Twitter and onto Telegram
and eventually brings up a gold trading marketplace that her uncle taught her how to use.
MetaTrader 4, a legitimate trading application created by a Russian company
observed to be previously abused, is the app eventually provided to the researcher,
though it's not delivered via the legitimate app store,
but rather in the form of a
link to a fake website. Here's where the story gets more complicated. The iOS download of the app
alarmingly requires accepting an enterprise mobile management profile connecting the phone to a
server in China. The researcher says the scammer claimed that the app had to be installed in this manner
due to U.S. sanctions. So, okay, thinks the prospective victim. Hey, I've heard about these
sanctions. Sounds legit. Maybe she seems nice, right? Due to the actual MetaTrader 4 app's
development by a Russian company, the app is not accessible in the U.S. store. Sophos reports that the
illegitimate application is only slightly modified, with one server tracing back to the Hong Kong
based scammer. The scammer then redirects the mark to that uncle she said was a gold trading expert.
The uncle, given the name Martin Richard, also feigns legitimacy. He's got a big-time backstory, too, claiming to be a former Goldman Sachs analyst.
You've heard of Goldman Sachs. Sounds legit, right?
Uncle Martine then provides a link to the Mabuki financial site and guides the victim through registration,
with Martin eventually saying that the real account setup would enable
deposits and trades that could be executed under his instruction. Martin and his niece, once again,
we reiterate just to be perfectly clear here, are catfish, fictitious persona. So remember,
not all that glitters is gold. It's not even Goldman Sachs. According to Reuters, hacktivists briefly
disrupted a televised speech by Iranian President Ibrahim Raisi on the occasion of Revolution Day,
observed Saturday. Hackreed reports that the Iranian dissident hacktivist group Justice of Ali
has claimed responsibility for the action. In addition to airing a familiar slogan,
Death to Khomeini, the group urged Iranians to withdraw their money from state banks
and participate in anti-government protests expected this Thursday. The hacktivists claimed
responsibility in a communique stating, We, the Adelat Ali group, hacked the Islamic Republic of Iran's TV and radio transmission.
First of all, the Adelat Ali group offers its condolences to the entire freedom-loving nation
on the decade of dawn at the impure arrival of Khomeini, the executioner to Iran.
The disruption was brief, CNN says, lasting about a minute. Adelat Ali are dissident hacktivists. Other
hacktivists, like Kilnett, function in cooperation with their government, and they're not particularly
picky about whom they disrupt. They've been interfering with Western hospitals, and now
they're seeking to gum up relief efforts to Turkey in the aftermath of the recent earthquake.
The Russian cyber auxiliaries
of Kilnet claimed over the weekend, we are carrying out strikes on NATO, details in a
closed channel. The Telegraph reports that the boast referred to a distributed denial of service
attack that's disrupted NATO communications with NATO aircraft delivering humanitarian relief supplies to earthquake-stricken regions of Turkey and Syria.
A NATO representative said,
NATO cyber experts are actively addressing an incident affecting some NATO websites.
NATO deals with cyber incidents on a regular basis and takes cybersecurity very seriously.
The effects of the attacks appear to have been limited
and were contained after a few hours. It's worth noting that all it takes to draw Killnet's
attention is the word NATO, and who cares about incidental suffering? Not Killnet or Killnet's
masters, obviously. Radware has reported that Killnet and its partners in the Dianan Club,
working together as the Infinity team, have established Infinity,
a darknet forum that caters to cybercriminals.
The researchers state,
the forum offers advertisement spaces,
paid status for those who want to perform business on the forum,
and is currently offering a variety of hacking resources and
services through its hack shop, including DDoS services. The Infinity team claims to operate
from Belarus, and it makes its resources available to all pro-Russian threat groups,
providing a special section where they can post their own content. Radware says these groups include Beraghini, Zyra, Radit, Zaknet, DPR Joker, and
NoName. The forum, and others like it, offer a way for hacktivists to combine patriotism with
criminal profit. Radware concludes, if Infinity Forum becomes successful, it will produce a
windfall of profits for the pro-Russian hacktivist threat groups.
Wired sees recent U.S. and U.K. sanctions against TrickBot as representing a new kind of action
against ransomware operators. Individuals are being named. This brings a greater degree of
specificity to sanctions than complaints against government agencies, in this case Russian.
to sanctions than complaints against government agencies, in this case Russian. Whatever the effects of naming and shaming might be, they're unlikely to extend to Russian government action
against cyber criminals. According to the Russian outlet Gouverit Moskva, which sources its story
to TASS, the Duma is considering legal immunity for hackers acting in the interest of Russia.
considering legal immunity for hackers acting in the interest of Russia.
Alexander Kinstein, head of the Duma Committee on Information Policy, said last week, We are talking about, in general, working out the exemption from liability of those persons
who act in the interest of the Russian Federation in the field of computer information,
both on the territory of our country and abroad.
The details will be made
public once they're worked out. You probably can't shame the shameless, but maybe you can at least
make it tougher for them to get access to hard currency and harder to vacation on the Riviera.
Coming up after the break, our UK correspondent Carol Terrio asks what we can learn from the recent Roomba privacy snafu.
Rick Howard looks at first principles we considered along the way.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
You may recall there was a recent incident regarding a Roomba vacuum that invaded the privacy of someone in a private place in their home.
Our CyberWire UK correspondent, Carol Terrio, files this report.
MIT technology had a big media win recently.
Late last year, they got a tip that flagged some pretty concerning photos that had made it to the web.
Now, these pics were taken inside people's houses and from a very low angle looking upwards,
sometimes even getting shots of the ceiling.
even getting shots of the ceiling. Sometimes these pictures included people, but it looked like the people or pets had no idea that they were being photographed. How to tell? Well,
one pic made headlines because the person was sitting on a toilet. MIT researcher Ellen Guo
decided to investigate, and she says it took months. And they eventually were able to pinpoint the culprit, a Roomba,
the smart automated vacuum produced by iRobot.
What had gone wrong?
Well, further investigation revealed that these were not customers, but employees,
also known as paid data collectors.
In other words, the people in the photos were beta testers
and they had agreed, on paper anyway, to participate in the process.
The problem is that it maybe wasn't perfectly clear what participation meant.
Ellen Guo summarized it like this, quote,
They understood that the robot vacuums would be taking videos from inside their houses,
but they didn't understand that, you know, they would be labeled and viewed by humans,
or they didn't understand that they would be shared with third parties outside of the country.
And no one understood that there was a possibility at all that these images could end up on Facebook and Discord,
which is how they
ultimately got to us, unquote. Apparently, the images were leaked by some data labelers who were
contracted in by iRobot. And this is a key point that the researchers make. These were low-paid
workers that were being asked to label these images to teach AI how to recognize what they were seeing.
And this is kind of important work. This is the process that makes it easier for computers to
understand and interpret the data in the form of images or text or audio or video. And it's used
in everything from flagging inappropriate content on social media, or in this case, helping a robot vacuum recognize
what's around it. Of course, employees who found Roomba snaps of themselves on the internet,
ones they never knew were taken, must have felt like mugs, and perhaps humiliated by the
short-sightedness of their employer to think they could contract this out to low-paid workers.
of their employer to think they could contract this out to low-paid workers.
There's a few takeaways, though, in this story.
I'd say let this be a reminder to, one, always read the fine print.
Two, think twice before allowing recording devices,
be it a camera or microphone, into your private space.
And that includes all smart electronics,
from white goods to handsets to headsets to vacuums.
And three, if you decide to bring one of these gizmos in, check the settings and change the default passwords.
This was Carol Theriault for The Cyber Wire. And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, always great to welcome you back.
Hey, Dave.
So in our Slack channels this week,
you have been waving around copies of some old research papers from the early days. I'm talking about the 60s, 70s, 80s, and 90s, which sounds like my favorite radio station.
But the digital dust was flying because those papers are so old.
So what's going on here, Rick?
I know.
Some of those papers are ancient.
Well, as you know, my CSO Perspectives podcast is largely about getting back to first principles,
cybersecurity first principles, if you will.
And I've made the argument over the past three years that our collections of best practices,
laws, and frameworks haven't really stemmed the hacking tide.
You may have noticed, Dave.
Well, I totally agree with you.
You know, I read the cyber news every day know, I read the cyber news every day and I read the cyber news every day. It doesn't feel like the volume of attacks is going down at all.
Are you saying that if those best practices and laws and frameworks are so good, then
why aren't we on top of this? Why aren't we doing a better job? Right. And let me reiterate here,
those tools aren't bad per se. There's Right. And let me reiterate here. Those tools
aren't bad per se. There's some really good stuff in those things. It's just that they're not
sufficient. I make the case in my podcast that these are not the essential first principles
of cybersecurity. I mean, it's been 50 years since we started this security thing. Let's call it
the early 1970s when things got rolling. And these big brain thought leaders, you know,
from that time,
like Willis Ware, we've all heard of these guys, Willis Ware and James Anderson and Bell and
Lapidula and Schroeder and Salzer, they made some assumptions about how to protect our digital
spaces back in those early days. And the rest of us kind of just went along and we never stopped
to consider if we were going in the right direction in the first place. What do you mean?
What were some of the big ideas back then?
Well, there was a bunch of ideas, but two that had some staying power. The number one was that
they all thought it was possible to design a computer system that couldn't be hacked.
You know, that didn't turn out too good.
Isn't that adorable? Yeah.
I know. And we spent all that brainpower for 20 years trying to figure it out. So that's one thing.
The number two one, though, is the notion of the CIA triad, the confidentiality, integrity, and availability.
And that all sounds great when you say it fast, CIA triad, but it's not adequate to solve all the issues that we face in the modern day. So, for this latest episode of the CSO Perspectives podcast, we talk
about all of that and many of the other ideas that the research community has put forth up to the
current day as the ultimate cybersecurity first principle. All right. Well, that is over on the
subscription side. How about on the public side with your CSO Perspectives show? This week, we're
involving another Rick DeToolman episode from May of 2022 called Software-Defined Perimeter.
Yes, I remember that one.
Now, my recollection is that that name itself is kind of wonky and doesn't really accurately convey what the technology does, right?
Yeah, right.
Software-Defined Perimeter has nothing to do with perimeter defense at all.
Who knew, right?
So, no wonder that most of us are confused about what the vendors are selling us every day.
So, STP, as the cool kids call it, takes the identity and access management systems out of the traditional perimeter and moves them somewhere else in the cloud.
The system verifies who you say you are and then establishes a connection to the workload, the only workload that you're authorized to connect to.
So we're going to take a look at that.
All right.
Well, before I let you go, what is the phrase of the week on your Word Notes podcast?
This one we had a little fun with, with chat GPT and AI being all the rage right now.
We thought it would be fun to have the chatGPT interface write the show for this week.
We even asked if which movie or TV show best represents the current technology that ChatGPT represents.
And you're going to be surprised with what we came up with.
And that, Dave, is what we call a tease.
Well played, sir. Well played.
All right. Well, Rick Howard is the CyberWire's CSO and also our chief analyst.
But more importantly than any of that, he is the host of the CSO Perspectives podcast.
Rick, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. To be continued... the Grumpy Old Geeks podcast. I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
The Cyber Wire podcast
is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building
the next generation of cybersecurity
teams and technologies.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.