CyberWire Daily - New phishing campaigns hit Microsoft 365 and Adobe users. Big Head ransomware. Multichain bridge compromised. CISA adds a KEV. Progress patches MOVEit. Telegram's role in Russia's war.
Episode Date: July 10, 2023New phishing campaigns afflict users of Microsoft 365 and Adobe. An analysis of Big Head ransomware. Multichain reports a crypto heist with over $100 million stolen. CISA makes an addition to the Know...n Exploited Vulnerability Catalog. Progress Software issues additional MOVEit patches. The FBI’s Deputy Assistant Director for Cyber Cynthia Kaiser joins us with examples of the agency’s technical disruption operations. Our guest is Scott Piper Principal Cloud Security Researcher at Wiz sharing findings of their State of the Cloud 2023 report. And Telegram's role in news about Russia's war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/129 Selected reading. M365 Phishing Email Analysis – eevilcorp (Vade Secure) New Phishing Attack Spoofs Microsoft 365 Authentication System (HackRead) Tailing Big Head Ransomware’s Variants, Tactics, and Impact (Trend Micro) New ‘Big Head’ ransomware displays fake Windows update alert (BleepingComputer) Unfolding Cybersecurity Crisis: Aptos Network and Multichain Face Cyber-Attacks (CryptoMode) More than $125 million taken from crypto platform Multichain (Record) Exploit of Fantom, Moonriver and Dogechain Crypto Bridges Confirmed by Multichain Team (CoinDesk) CISA Adds One Known Vulnerability to Catalog (CISA) Google patches 43 Android Vulnerabilities Including 3 actively exploited zero-days (Cyber Security News) Progress Software Releases Service Pack for MOVEit Transfer Vulnerabilities (CISA) After Zero-Day Attacks, MOVEit Turns to Security Service Packs (SecurityWeek) Killnet as a private military hacking company? For now, it's probably just a dream (Record) Telegram has become a window into war (The Verge) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
New phishing campaigns afflict users of Microsoft 365 and Adobe,
an analysis of big-head ransomware.
Multi-chain reports a crypto heist with over $100 million stolen.
CISA makes an addition to the known exploited vulnerability catalog.
Progress Software issues additional move-it patches.
The FBI's Deputy Assistant Director for Cyber, Cynthia
Kaiser, joins us with examples of the agency's technical disruption operations. Our guest is
Scott Piper, Principal Cloud Security Researcher at WIS, sharing findings of their State of the
Cloud 2023 report and Telegram's role in news about Russia's war.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, July 10th, 2023. Email security company Vade has detected a new email phishing campaign contains a malicious HTML file that runs JavaScript meant to collect the victim's email address and update a fake login page with the information collected.
The script then forwards the victim to the aptly named EvilCoreOnline.
The researchers at Vade determined that the unknown actors are hosting their malicious HTML domains on glitch.me,
stating, we found results for related Microsoft 365 phishing attacks online,
in which requests to EvilCore Online were made for the phishing applications.
Unknown phishers have leveraged the platform glitch.me to host malicious HTML pages.
Hackreed explains that Glitch.me is a platform that enables users
to create and host web applications, websites, and various online projects.
Unfortunately, in this instance, the platform is being exploited
to host domains involved in the ongoing Microsoft 365 phishing scam.
Bade's research also discovered a similar attack that spoofs the login for Adobe
and that uses the same domains as the Microsoft 365 phishing attack.
Bade was able to establish a link between the spoofed web login pages and an application named Hawkeye, stating, as reported by several cybersecurity actors like Talos,
the original Hawkeye Keylogger is a malware kit whose story began in 2013.
Because several versions were introduced,
we don't know if the authentication page is related to Hawkeye Keylogger.
So, the story and the threat continue to develop.
Researchers at Trend Micro have released a technical report about a new ransomware family
called Big Head, which emerged in May of 2023. Two variants have been observed,
Trend Micro writes, detailed three versions of the Big Head ransomware. The first seems to be strictly ransomware.
The second, however, incorporates an infostealer
that Trend Micro calls WorldWind into the package.
The third variant, called Neshta,
seems to be a supplementary file infector
that, when employed with either the first or the second variants,
can work to serve as a camouflage technique for the final big-head ransomware payload.
Neshta can make an infestation look like a different type of threat, a virus for example,
that can muddle priorities and divert resources from countering the actual ransomware threat.
Trend Micro assesses that the actors behind this new ransomware may not be very sophisticated.
They say,
We also checked their Bitcoin wallet history and found transactions made in 2022.
While we're unaware of what those transactions are,
the history implies that these cyber criminals are not new at this type of threats and attacks,
although they might not be sophisticated actors as a whole.
The report adds,
Moreover, advertising on YouTube without any evidence
of successful penetrations or infections
might seem premature promotional activities
from a non-technical perspective.
From a technical point of view,
these malware developers left recognizable strings,
used predictable encryption methods,
or implementing weak or easily detectable evasion techniques, among other mistakes.
Sophisticated or not, the misdirection toward other forms of malign activity is a bit unusual.
The bad actors more commonly try to deceive by misrepresenting malware as benign.
commonly tried to deceive by misrepresenting malware as benign.
The record reports that the crypto platform MultiChain has suspended its services as it investigates claims that more than $125 million in cryptocurrency was stolen.
MultiChain is a cross-blockchain exchange service, a bridge,
that allows users to exchange cryptocurrency
between various blockchains and networks.
In a July 6th tweet,
MultiChain advised all of its users to suspend use of its services
and revoke all contract approvals related to MultiChain.
CryptoMode reports that the theft covered several assets
belonging to MultiChain.
They say the total haul from the theft amounted to a staggering $126 million.
The record says that this isn't the first time a cross-blockchain bridge has been targeted.
They say cross-chain bridges like MultiChain continue to be a ripe target for hackers in 2023
after billions were stolen throughout 2022.
CISA has added CVE-2021-29-256 to its known exploited vulnerabilities catalog.
FLAW is a use-after-free vulnerability affecting the ARM Mali GPU kernel driver.
Bleeping Computer notes that the vulnerability
can let attackers escalate to root privileges
or gain access to sensitive information on targeted Android devices
by allowing improper operations on GPU memory.
CISA adds that binding Operational Directive 22-01
requires federal civilian executive branch agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
Google issued a patch for this flaw last week, along with fixes for two other actively exploited Android vulnerabilities.
More patches from other vendors may be expected tomorrow, which is, after all, Patch Tuesday.
Updates are expected from both Microsoft and Adobe.
Security Week reports that Progress Software, whose MoveIt transfer product vulnerability has been felt broadly across many sectors,
has issued patches for three security flaws affecting MoveIt.
The vulnerabilities could be exploited to steal information.
The company says it will begin issuing service packs
to simplify the patching process for its Move-It products,
stating,
These service packs will provide a predictable, simple,
and transparent process for product and security fixes.
We have heard from you that a regular cadence and predictable timeline
will enable you to better plan your resources
and make it easier to adopt new product updates and fixes.
As a part of these service packs,
we will also be optimizing the installation process
to make the upgrade process simpler.
Killnet has continued to call for people interested in hacking
in Russia's interest to join them, and the hacktivist auxiliary says it's offering training to those willing to sign up. Kill Milk, is interested in transforming themselves into a private cyber-military corporation,
one that could be hired to attack NATO targets under Russian orders.
This seems unlikely to happen in the near term.
Kill Milk's own conduct during the Wagnerite mutiny was sufficiently ambivalent
to open the door for reasonable doubt concerning their political reliability.
to open the door for reasonable doubt concerning their political reliability.
Unlike the criminal gangs who've made financially motivated attacks against targets in unfriendly states, Klopp for example,
Kilnett's mix of brag and DDoS may not easily be monetized.
And finally, in a note from Russia's hybrid war against Ukraine,
The Verge describes how Telegram, with its small staff, tolerant moderation practices,
and large user base, especially in Russia and Ukraine,
has enabled an outsized contribution to the sharing of war news.
The social medium has been permitted to operate relatively unmolested by Roskomnadzor, Russia's internet
regulation body, at least since the last round of attempted censorship was abandoned in 2020.
Instead, the social platform has been the locus of free speech, sound information,
disinformation, contending narratives, and a range of conspiracy mongering.
The Russian agencies seem to be leaving Telegraph largely alone
because they believe they may be able to break its anonymity
and track its users if they haven't already done so.
If you're a Telegram user in Russia, sleep with one eye open
and keep a good scorecard of Kremlin talking points.
Coming up after the break,
the FBI's Deputy Assistant Director for Cyber,
Cynthia Kaiser, joins us with examples of the agency's
technical disruption operations.
Our guest is Scott Piper from WIZ,
sharing findings from their
State of the Cloud 2023 report. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Scott Piper is Principal Cloud Security Researcher at cloud security provider
Wizz. They recently published their 2023 State of the Cloud report,
and I checked in with Scott Piper for the details. There's always been kind of an assumption that AWS is, you know, kind of the
main cloud provider used by a number of companies, and that really is playing out in the data set
that we see. No matter how we tried to slice and dice that data, you know, we did see that AWS is the major cloud provider there.
And by a pretty large gap as well.
What about companies sort of spreading their information among multiple cloud providers?
What are you tracking there?
So I think there's this kind of myth that multi-cloud, this concept of multi-cloud is a common thing,
where that concept is that you have this single architecture that spans across multiple cloud
providers, and you're able to easily move between them, whether that's for disaster recovery
purposes, perhaps, or just the ability to move between them, maybe to take advantage of various costs,
better features of different clouds. And we really see that that's not the case.
Companies tend to be focused very heavily on a single cloud provider. And there's a number of
reasons for why that probably is. We didn't really try to identify in our data why that is. We didn't, you know, really try to identify in our data, you know, why that is.
However, you know, there's an assumption that it's probably due to things like data gravity,
that it's just difficult to try and move cloud, your data between the different cloud providers.
You know, people tend to focus on the different clouds. And the reason for that being is that
they're very complex. And that's
some data points that we included in the report was just showing the constant growth of the
complexity of the cloud providers. And that's growing in every way that you can imagine. So,
you know, whether it's looking at the revenue growth, so we looked at the SEC filings of the
different cloud providers in order to see the growth of their cloud businesses, but also things like the API growth.
So we were able to look at the SDKs of AWS and look at basically the API counts from, I think it was all the way back to 2016.
And you can see there's just this constant, steady growth of the number of APIs they have.
And what that means is that as the APIs are growing, the complexity of that cloud is growing.
So not only does it have more actions, more APIs that you can take advantage of,
what that means though, is that there's more services, there's more features.
Each of those APIs themselves has growing number of parameters associated with it. And so this complexity is just increasing. And I think as a result of that, that's one of the reasons why companies really tend to focus on a single cloud is just that it's too hard to try and keep up with all the different cloud providers, all the different features they have, and how you could potentially misconfigure them,
whether that's security reasons or other types of misconfigurations you can make as well.
All these different reasons, I think, really are encouraging companies
or motivating them to stay on a single cloud for most of their workloads.
I believe my personal assumption is the reason
that they're spanning some of these clouds
when they do have multiple cloud providers
tends to be things like acquisitions or just other events
that are causing some of the different cloud providers to be used.
But it's not really, in my opinion,
not like a focused goal for them to attempt to use the other clouds.
Well, when you look at the information you've gathered here, what are the risks that organizations
face based on the types of cloud usage that you're tracking?
Interesting things about this report is we tried to not have the report exist as kind
of a sales pitch for Wiz.
And so looking at the report, it's generally accessible to anybody that is interested in the state of the cloud in general, not even cloud
security. And so I think that was kind of a different approach that we had with this report
is, you know, a lot of times when people put together white papers like this, it's very much
a sales pitch for their company in some way. And so we tried to avoid that a little bit. But we did discuss some things. We did,
for example, some research where we created some public S3 buckets in a couple of different ways.
And we were interested in how quickly are those going to be found by attackers? And so
we've seen some examples where it's fairly well known amongst cloud security professionals
that if you put an AWS access key on GitHub, that that access key is going to be found
very quickly by attackers.
And they're going to, they've automated tools that are going to try to use those access
keys to spin up cryptocurrency mining is one of the common things that they do.
But we were curious, what if we create a public S3 bucket with a completely random name,
nobody can guess this name, and we reference it in a public GitHub repo. So we just basically
provide a commit, merge that PR into a public GitHub repo, and it just references a public S3 bucket.
Will attackers find that through automated scripts or other means and try to list the contents
of that S3 bucket?
And so we did find that, yes, they do that.
And I can't remember the exact number.
It was less than 24 hours, though,
in which they were able to do it.
I think it was maybe seven hours for this.
And then another experiment we did was we've seen that there are tools that exist publicly
that allow attackers to try and brute force guess the names of S3 buckets. So what you do is you
basically provide these tools with the name of a company, and then they're going to go through a
word list in the same way you might perform password cracking in order to guess names of S3 buckets that that company may
have. So you can imagine, you know, if it was somebody trying to look for S3 buckets of whiz,
they might try S3 buckets that are named whiz backups, whiz logs, you know, various names like that, and with various types of hyphens and periods
and other types of separation characters in between those words.
And so we're curious, well, what if we create some of these S3 buckets with some common
names of companies, popular company names out there, and create these S3 buckets with some common, you know, names of companies, you know, popular company names out
there and create these S3 buckets and, you know, turn on monitoring of them and see how long it
takes attackers to find those. And so we found, I think for that one, again, the number was less
than 24 hours. And I think it was 13 hours for that one. That's Scott Piper from Wiz.
And I'm pleased to be joined once again by Cynthia Kaiser.
She is Deputy Assistant Director for Cyber at the FBI.
Cynthia, welcome back to the show. You know, you and I have spoken about how traditionally in the past, the FBI helped
victims and often functioned in a reactive kind of way. But these days, you have a broader set
of tools available to you when it comes to cyber to the point of actually being able to go out and
do some technical disruption. Can you share with us what sort of things can you do? Absolutely. I mean,
the FBI really has three jobs for the American citizens and American businesses, which is to
try to take down adversaries and counter their operations before they ever get a chance to target the U.S., to share information
and provide any assistance we can to stop targeting once it's occurred, and then to provide
justice to, if you unfortunately become a victim, to those victims, as well as provide peace of mind and remediation
assistance as necessary. So within all of that, I think technical operations fall within almost
all of those, but really in that kind of try to prevent space. So the FBI disrupted over 300
malicious cyber campaigns last year. Now that includes a lot of different actions,
but many of which are highly technical.
And I think a great example of this and a recent example of this is our Operation Medusa.
Now, Operation Medusa was conducted in May of this year, where we led a multi-agency joint cyber operation to globally disrupt SNAKE, the most sophisticated cyber espionage tool designed by the Russian Federal Security Service. Most people know them as FSB. And they use that for long-term intelligence
collection on sensitive targets. So FSB used it to conduct operations against high-priority targets
like government networks, research facilities, journalists, and their targeting wasn't random.
Infection points may have been chosen because of their low security, innocuous reputation, or high traffic volume specifically due to the
information they held, like foreign policy communications. We'd identified snake infrastructure
across 50 countries in North and South America, Europe, Africa, Asia, and Australia, including the U.S. and Russia itself. So kind of going into the
operation. The FBI, through its technical capabilities, led an effort to mitigate the
malware by disrupting its critical functions. So we were able to basically able to render it
inoperable, both in the U.S. and then with our partners abroad. I think a great outcome and good read for your readers,
and I think you've talked about it on the show before,
is the cybersecurity advisory that we put out,
which is just a phenomenal piece,
cyber threat intelligence.
It's called Hunting Russian Intelligence Snake Malware.
And it detailed not only technical mitigations
or just the technical details behind the operation, but I think had some of the strongest attribution language in there as well.
And it really demonstrated the lengths that we had gone technically to collect, to understand the adversary, and then to be able to counter it.
And there are diplomatic elements to this as well. I mean, this really
puts the message out to our adversaries in a way that is direct and straightforward.
Absolutely. It puts the message out to our adversaries that we are going to ensure that
we have our information correct, that we're going to be dogging in our pursuit
of ensuring we understand the truth, and that we're going to share that with American businesses
and the American public to make it known. But I like what you said about a diplomatic element
there, because I think what's not often thought about when we put out things publicly, is the diplomatic element in this space.
It provides our allies to have a full technical details rundown of exactly what another country
has done, not just to the U.S., but to their own citizens, to people in our allies' countries.
to people in our allies' countries, it gives them the ability to join us and speak with us and talk about cyber norms and the international stage in a way in which you can't do necessarily just with
sharing classified information across borders. So these operations and publications provide such a key element in, I think, the global understanding and global cyber norming that needs to occur in this still relatively new space.
An operation like Medusa, where you're able to take down Snake, how much of a setback is that for an organization like the FSB?
It's a huge setback.
Taking down the tools or taking offline different backdoors, maybe like we did in the March campaign.
So we did that a few months later in 2021, where China had put backdoors onto thousands of U.S. networks.
And we were able to, either through mitigation advice and publications,
but then through a technical operation as well,
shut those backdoors, not enable a massive campaign to continue.
That's a huge blow to these organizations
because they're spending millions of dollars and
putting thousands and thousands of hours against conducting operations like this,
and we render them ineffective when we're able to conduct these operations. And we buy time so that
they have to reconstitute. They have to try again, do all that work again. And that's time in which they're not targeting Americans.
For you and your colleagues, there must be a certain sense of gratification as well,
personally and professionally.
Absolutely.
I work with some of the best people.
And I like to tell people a lot of times, like, I think I have the best job in Washington
because every day I get to come in to work and know that I'm keeping my friends, family, and community safe. And that's what
drives so many of the men and women across the FBI, and especially at FBI Cyber, is they're not
here for the money, trust me. They're here because they really want to make a difference and they get
to see that difference every day. And that's just exciting. It's exciting to know that you're playing that part in national security. Cynthia Kaiser is Deputy Assistant Director for Cyber
at the FBI. Cynthia, thank you so much for sharing your expertise. Thank you. fault-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out
the Grumpy Old Geeks podcast where I contribute a regular segment on Jason and Brian's show.
We have a lively discussion every week. You can find Grumpy Old Geeks where all the fine
podcasts are listed. We'd love to know what you think of this podcast. You can email us
at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and
insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the
world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.