CyberWire Daily - Malvertising meets SEO poisoning. Fast moving on MOVEit exploit remediation. Ransomware trends. Cyberespionage, sanctions, and influence ops. Ave atque vale Kevin Mitnick.
Episode Date: July 20, 2023Sophos analyzes malvertising through purchased Google Ads. The MOVEit vulnerability is remediated faster than most. The DeliveryCheck backdoor is used against Ukrainian targets. SORM is under stress. ...Ukrainian police roll up another bot farm working in support of Russian influence operations. AJ Nash from ZeroFox provides insights on the White House cybersecurity labeling program. David Moulton from Palo Alto Networks Unit 42 introduces his new segment "Threat Vector." And we bid farewell to Kevin Mitnick. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/137 Selected reading. Bad ad fad leads to IcedID, Gozi infections (Sophos News) New research reveals rapid remediation of MOVEit Transfer vulnerabilities (Bitsight) GRIT Ransomware Report-2023-Q2 (Guidepoint Security) Russia’s Turla hackers target Ukraine’s defense with spyware (Record) Russian Hackers Probe Ukrainian Defense Sector With Backdoor (Bank Info Security) Russia’s vast telecom surveillance system crippled by withdrawal of Western tech, report says (Record) Ukraine’s cyber police dismantled a massive bot farm spreading propaganda (Security Affairs) Kevin David Mitnick, August 6, 1963 - July 16, 2023. (Dignity Memorial) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Sophos analyzes malvertising through purchased Google Ads.
The move-it vulnerability is remediated faster than most.
The delivery checkout backdoor is used against Ukrainian targets.
SORM is under stress.
Ukrainian police roll up another bot farm working in support of Russian influence operations.
A.J. Nash from ZeroFox provides insights on the White House cybersecurity labeling program.
David Moulton from Palo Alto Network's Unit 42 introduces his new segment, Threat Vector, and we bid farewell
to Kevin Mitnick. I'm Dave Bittner with your CyberWire Intel briefing for Thursday, July 20, 2023. Sophos has released a threat profile report for malvertising campaigns
that use paid advertisements to infect victims with infostealers and backdoors.
The threat actors have been using search engine optimization poisoning
to position themselves at the top of search results,
thereby making users more ready to click malicious links and download malware.
As Sophos explains, as well as conning search engines to try to get their malicious sites near
the top of search results, they can also pay for the privilege, buying paid ads from Google so that
their sites are guaranteed to appear prominently. This attack, known as malvertising, is often aimed at users looking to download popular software applications.
Malvertising isn't a new tactic, but it's growing in popularity,
especially when paired with SEO.
Through its own research, Sophos has determined
that many of the malicious ads were in fact purchased and presented through Google Ads,
and larger
market trends are also reflected in the criminals' ad buys. Sophos also noticed that newer malvertising
campaigns tend to forego previous fake advertisements for sought-after tools like WinRAR and Notepad
Plus Plus, instead targeting users searching for AI-related tools such as ChatGPT and MidJourney.
So the cyber gangs have recognized the truth of what Dorothy L. Sayers wrote almost 100
years ago.
It pays to advertise.
BitSight has published a report looking at organizations' remediation of the various
move-it vulnerabilities disclosed over the past few months.
Bitsight says, In a typical vulnerability remediation pattern, it would take 29 months to reach the same level of remediation we observe happening for MoveIt after just 42 days.
In other words, organizations are remediating CVE-2023-34-362 roughly 21 times faster than what's considered typical.
The point? Organizations are taking these move-it vulnerabilities
very seriously, and rightfully so.
BitSight believes the rapid patching
is due to Progress Software's diligence
in publishing timely and informative advisories,
as well as the U.S. Cybersecurity
and Infrastructure Security Agency's
timely and explicit alerts.
In its annual ransomware report, GuidePoint Security describes the current state of ransomware,
what industries it affects most, and casts a spotlight on threat actors.
The report explains that ransomware has reached an all-time high since GuidePoint research
and intelligence team has begun tracking it, and now seems to primarily affect organizations in
the U.S., which make up just over 51% of the victims reported. In comparison, the second
most affected country is the U.K., which makes up just 5% of the reported victims.
The industries most heavily impacted by ransomware in the second quarter of 2023
are manufacturing, followed by technology and banking and finance.
By far the most prolific organization conducting these attacks is Lockbit,
with AlfV placing at second and 8Base showing at third.
The criminal-to-criminal market has driven down costs and thus barriers to entry
that the less skilled and more poorly resourced gangs
would otherwise have to hurdle.
While there's a lot of reuse of code
and while potential victims are often alert to the older threats,
what GuidePoint calls smaller or less resourced organizations
probably remain vulnerable.
So the gang's attentions will in all likelihood be driven downmarket.
also known as Krypton UAC0003 Venomous Bear or TURLA, and generally associated with Russia's FSB security service.
The organizations that have attracted the FSB's attention are, for the most part, found in the defense sector.
The attack begins with phishing, the phish hook being a document carrying malicious macros. These install a backdoor delivery check, which establishes persistence through a scheduled task that downloads and launches it in memory.
The backdoor is also in contact with a command and control server from which it receives
a variety of follow-on tasks.
Various open source and specialized tools are used to exfiltrate messages from the Signal
desktop messaging application.
The operators seem interested in private Signal conversations, documents, images, and archive files.
The activity isn't confined to Signal. Microsoft also observed the threat actor targeting Microsoft
Exchange servers, where it installs server-side components of DeliveryCheck using PowerShell
desired state configuration. This approach uses a PowerShell script to place a.NET payload
into memory. Microsoft says this effectively turns a legitimate server into a malware C2 center.
We note in full disclosure that Microsoft is a CyberWire partner.
We note in full disclosure that Microsoft is a CyberWire partner.
A study by the Carnegie Endowment for International Peace concludes that sanctions have rendered Western technology increasingly inaccessible to Russia's government
and that this is placing Moscow's domestic surveillance apparatus, SORM, under stress.
SORM rides atop Russia's ISPs and telcos, and those sectors are being
hit hard by sanctions levied in response to Russia's invasion of Ukraine. The report concludes,
ultimately the FSB-led surveillance state envisioned by the Kremlin prior to the Ukraine war
and by the KGB in its Cold War heyday is now beset by a potentially crippling web of dependencies.
Much about the program remains shrouded in secrecy.
However, available insights suggest that SORM's fate is largely anchored to that of the Russian tech sector.
The record points out the irony of the situation.
About half of Russia's mobile infrastructure had been
furnished by Nokia and Ericsson. Both companies have said they won't sell further systems to
Russia, and their participation in the sanctions has been supported by Finland's and Sweden's
decision to join NATO. Those decisions were given impetus by Russia's invasion of Ukraine.
Ukrainian police announced this week that they've broken up a criminal operation
working from Ukrainian cities that amplified Russian propaganda
directed against Ukrainian popular opinion.
The group is also said to have engaged in data theft and other cybercriminal activities.
In addition to the arrests, police seized SIM cards and other hardware.
And we conclude with a somber note.
The renowned hacker Kevin Mitnick, known widely as a hacker in the true sense,
has passed away at the age of 59, losing his battle with cancer.
For those unfamiliar with his career, Mitnick delved into hacking with an art-for-art's-sake spirit,
starting as a phone
freak during his teenage years. However, his actions sometimes crossed legal boundaries,
leading to a prison term. Despite this, his intentions were not malicious, as evidenced
by the testimony of his federal prosecutor, who noted that Mitnick didn't seek financial gain
from his hacking exploits.
Following his release from prison in 2000,
he transformed himself into a white-hat hacker,
using his skills for ethical purposes and contributing positively to the field.
Since November 2011, he had been the chief hacking officer and part owner of the reputable security awareness training firm KnowBefore.
As we bid farewell to Kevin Mitnick, we extend our heartfelt condolences to his colleagues,
friends, and most importantly, his family during this time of mourning.
We will remember him as a kind and amicable individual, and may he find eternal rest.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It is my pleasure to welcome to the Cyber Wire podcast David Moulton.
He is the Director of Thought Leadership with Palo Alto Network's Unit 42.
David, welcome.
Thanks, Dave. Good to be here today.
So this kicks off a series of segments that you and I are going to share together from Unit 42 and your colleagues there.
Can we start off with some descriptive stuff here for folks who may not be familiar with Unit 42 at Palo Alto?
What is the mission of you and your colleagues there?
So Unit 42 is a threat intelligence business. It is a incident response business.
It is a team of experts that can help our clients out with proactive assessments. So there's a variety of different things that Unit 42 does. The threat intel feeds into the technology that Palo Alto distributes out to the world.
The understanding that we gain from incident response work and from working with companies
on their strategies for proactive protection are also baked into those technologies.
And that meets our mission to make the digital world a safer place.
That meets our mission to make the digital world a safer place.
And so what are you hoping to achieve here by spreading the word via this podcast?
So Uni42 has some of the most interesting stories, as you can imagine, from the threat research perch that we have, the relationships that we maintain with law enforcement agencies around the world.
We also have a lot of insights and interesting stories to share from the incident response side.
I believe it is helpful for us to talk about those learnings, those insights,
and to help our listeners use those insights to better protect themselves and to think more deeply about their security strategies?
You know, there's really a sense of community here that comes into play.
I know that's important for you
and your colleagues there at Unit 42.
I suppose on the one hand,
it would be easy from a business point of view to say,
we're going to keep everything close to the vest
and try to have trade secrets and those sorts of things. But that's not really the philosophy that you all have adopted.
It's not, Dave. Unit 42 has been publishing our threat research for years. It's one of the
top visited spaces within our domain. Our threat research articles are deep. They have actionable
intel in them and have really established one of the aspects that we're most proud of about the
brand is that anyone can come and learn. Anyone can use that research. It's part of why we maintain
such strong relationships with clients and with
law enforcement is that we don't hang on to everything ourselves. In security, sometimes
it is a tendency to know a thing and keep it to yourself, whether it's an insight or you've had
a rough day. I think there's some compelling reasons to stop doing that. And that's part of what the show is about.
That's part of what Unit 42's DNA is made of.
Can we touch on the global aspects of Palo Alto Networks itself and how having that global reach really contributes to the big picture, the information you all are able to gather and share?
Absolutely. When you think about
any knowledge that a group or a person has, there are going to be gaps and biases. With Unit 42,
we've got experts around the world. We've got telemetry that's coming in from deployments
of technology at all types of different companies in different environments.
And it's that global perspective and that large amount of observation data that we can start to
draw together and then use the expertise, the experience, the analysts, and the relationships
that we have to figure out what matters most and to get that out quickly into our technology and into our customers' hands
so they can better protect themselves without having a very biased view,
one that comes from just a geo or just a certain type of training
or just a certain type of security control.
I should mention the title of the segment is Threat Vector. Any particular meaning with choosing that name?
Well, yes. So when you think about threat intelligence, that's the core aspect of Unit 42. the TTPs, understanding what different threat actors are doing or not doing. If they move
parts of their infrastructure from one space to another, you've got to interpret what that means.
So we wanted to definitely lean into the idea of threat. And then Vector goes right there with it.
Where is it coming from? What is its angle? What is its velocity? And, you know, I'm hoping to get something going here with my team calling it Threat Vector Thursdays when we're appearing on the Cyber Wire daily.
So look out for that hashtag, Threat Vector Thursdays.
Fair enough. Well, I'm looking forward to what is yet to come.
David Moulton is from Palo Alto Network's Unit 42.
David, welcome to the Cyber Wire and thanks so much for taking
the time for us today. Absolutely delighted to be here. Thanks, Dave.
The Biden administration announced a cybersecurity labeling program,
which aims to convince electronics and appliance manufacturers and retailers
to make voluntary commitments to increase cybersecurity on smart devices,
earning them a U.S. Cyber Trust mark on their products.
A.J. Nash is Vice President and Dist and distinguished fellow of intelligence at ZeroFox.
I reached out to him for insights on the White House initiative.
The White House came out today and announced the new U.S. Cyber Trustmark program. So this is being
spearheaded by the FCC. And I think it's a really interesting concept. It's a great opportunity for public-private collaboration.
And the focus really is helping consumers understand the risks associated with a lot of the technologies that we've come to know and use regularly, a lot of smart technologies. Whether it's smart appliances in the kitchen, whether it's your televisions, whether it's watches, fitness trackers, thermostats, you know, all the
things that we use every day. There's a lot of risk associated with these technologies. And the
average consumer really doesn't have much of a way of understanding that, you know, it's very
technical, it's, you have to be a bit of an expert in a lot of cases to understand these things. So
the government is working with some of the largest companies, brands and names we know,
you know, Amazon and Google and Best Buy and LG and Logitech and Samsung and some of those,
to develop a standard that can be applied to all these technologies.
And I think there's going to be a little seal of approval on it, something to that effect,
that says this meets the standards of the U.S. Cyber Trust mark.
And so they're working with NIST on this, the National Institute of Standards
Technology, for those who aren't familiar with the term, to develop standards for this.
So I think it's great. I think it's virtually impossible right now for consumers to know,
should I buy this technology? Should I not? I mean, I don't know about you, but I have family
members often come up to me and talk to me about this. Is this safe? Should we get this in the
house? Should we not have it in our house? You know, should we have digital photo albums?
Those kinds of things come up a lot.
And so I think, to be honest, I think this might be overdue.
So it's great to see.
It's going to take time.
I mean, they've got to develop the standards and figure it out where it goes.
I don't recall seeing a timeline for this other than I think by the end of 2023, NIST
was going to have a standard for routers specifically.
Right, right.
So it's obviously going to move somewhat quickly,
but I think it's great. I think it should make it much easier for the consumer to know,
you know, comparatively at least, is this a technology I should or shouldn't buy compared
to others? And you got to really understand your own risk. And this is going to empower people
to make better decisions, I think. Probably pressure technologies too, and companies to
build better products out of the box instead of sending things off into the marketplace and then discovering the vulnerabilities later when people have been compromised and had
to deal with those vulnerabilities. It strikes me that this may be the cybersecurity equivalent of
the Energy Star sticker that we've all grown accustomed to. Yeah, I think so. Somebody else
mentioned that earlier to me today as a comparison. I think it's a good comparison, right? You and I, I mean, I can't speak for you, but I'm going to gamble that before that existed, you didn't know how much energy your refrigerator used in a year. I know I didn't, right?
It'll tell you how much fuel it's supposed to use over the year or something like that.
So yeah, I think so.
It's the kind of information that helps us make better decisions on what we purchase, but we would never be able to calculate it ourselves.
So as consumers right now, we're sort of in the dark on this, which means you just have
to trust whatever company you're working with.
And in a lot of cases, just kind of hope.
And a lot of data has been exposed through a lot of these technologies.
You know, the fitness trackers come to mind specifically.
I know a lot of people have, whether it's a Fitbit or Samsung or Google or Apple or
whoever's on your wrist right now, you know, all these different trackers and technologies
that are out there. And I don't think people understand how much of that is unsecure right
now and how important that is for threat actors who want to track somebody down, whether it's
a stalker, you know, whether it's a nation state trying to target somebody. There's any number of nefarious reasons to want to know where somebody
is and when. And a lot of those technologies aren't well secured. Any thoughts on the FCC
being the lead agency here? Does that, in your mind, does that track? Yeah, I mean, I think that's
where it belongs. You know, this falls in line with what the FCC does.
I mean, this falls in line with their mission, right?
You know, I think, I'm sure there'll be speculation and debate.
There's a couple other places that probably come to mind that people will take a look at.
I think wherever something happens within a government administration, there's going to be detractors who say, well, it should be here, it should be there.
You know, I'll be interested to see who they work with. Working with NIST, I think, is a fantastic thing.
I think that's really important.
You know, the Department of Energy is going to be involved in a collaborative effort as well with National Labs. And I think, you know, we'll probably see, you know, some of
the cybersecurity components involved, whether it's, you know, Cybercom or CISA or whoever. I'm
sure there'll be other bits and pieces tied to this. But yeah, to me, it makes sense that the
FCC is going to spearhead this. It seems like something that fits within their remit.
And how do you feel about this being a voluntary program rather than compulsory?
Well, I think that's always a good place to start.
It's really hard for the government to come in and mandate things.
Mandate is almost always very unpopular, right?
I think coming in and saying, we have a program.
Sure, we'll make it voluntary.
Listen, a lot of big names have already signed up to do this, a lot of big brands. I think the
competitive market will probably end up taking advantage of that. This is going to create a
competitive advantage. If you have a product that has a seal of approval on it, for the average
consumer, assuming this is well understood, which, as you said, like Energy Star, for instance,
you're going to have some marketing to go with this so people know what the stamp means.
I think others will, they won't have to be compelled to do it.
They'll have to do it if they want to stay in the market, if they want to stay competitive.
So I think it's a wise place to start.
Let's see how the competitive market handles it.
And then we'll go from there.
Now, if it turns out that really unsecure devices are undercutting the market by 50,
60, 70% in pricing and prices driving consumers to continue to buy risky things,
I wouldn't be surprised if the government wants to incentivize a little bit more.
But it's really hard to mandate things. And they got off to a really slow start,
especially in a super politicized world we're in now. No matter who was in office,
no matter which party was in office, no matter which party had Congress, whatever it might be,
they're going to argue with each other. And mandates are just a great opportunity for
somebody to poke a hole and turn into a political football that says, aha, Congress, whatever it might be, they're going to argue with each other. And mandates are just a great opportunity for somebody to poke a hole and turn into a political, you
know, football that says, aha, see, they're expanding government, right? So I think just
avoiding that pitfall is a nice place to go to say, hey, we're trying to do something to make
people safer. We're not going to force it on you, but here's the way it's going to work.
I think that also avoids politics in a time when almost everything is political. So it seemed like
it made sense to me. Yeah. I often joke that you could hand out gold bricks and there would be people who complain that they're too heavy.
That's a good point.
It's the same person that's going to complain if they win the lottery and have to pay taxes, right?
Right.
There's always something.
But I promise you, if you hand me a gold brick, I will not complain about the weight.
And if anybody knows the winning lottery numbers for this week and hands them to me, I promise I won't complain about the taxes.
Deal.
All right.
AJ Nash is from ZeroFox.
AJ, thank you so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. To be continued... podcast, you can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the
information and insights that help keep you a step ahead in the rapidly changing world of
cybersecurity. We're privileged that N2K and podcasts like the Cyber Wire are part of the
daily intelligence routine of many of the most influential leaders and operators in the public
and private sector, as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.