CyberWire Daily - Notes from the hybrid war: nuisance-level DDoS, cyberespionage, and the possibility of financially motivated hacking. US policy on the software supply chain, and notes from the underworld.
Episode Date: September 15, 2022Nuisance-level DDoS and cyberespionage continue to mark Russia's cyber campaign in the hybrid war. There’s a US Presidential memorandum on software supply chain security. Webworm repurposes older RA...Ts. Trends in cyber insurance claims. OriginLogger may be the new Agent Tesla. The SparklingGoblin APT described. Mathieu Gorge of VigiTrust describes cyber vulnerabilities in the hospitality industry. Dinah Davis from Arctic Wolf explains a PayPal phishing attack. And Royal funeral phishbait. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/178 Selected reading. Pro-Russia hackers claim to have temporarily brought down Japanese govt websites (Asia News Network) Gamaredon APT targets Ukrainian government agencies in new campaign (Cisco Talos) Russia-linked Gamaredon APT target Ukraine with a new info-stealer (Security Affairs) Fears grow of Russian spies turning to industrial espionage (The Record by Recorded Future) Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (The White House) Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience (The White House) White House releases post-SolarWinds federal software security requirements (Federal News Network) Webworm: Espionage Attackers Testing and Using Older Modified RATs (Threat Hunter Team Symantec) Coalition Releases 2022 Cyber Claims Report: Mid-year Update (GlobeNewswire News Room) OriginLogger: A Look at Agent Tesla’s Successor (Unit 42) You never walk alone: The SideWalk backdoor gets a Linux variant (WeLiveSecurity) [Scam site harvests credentials] (Proofpoint) Current, former social media execs address national security issues at Senate hearing (Fox Business) Senators Have Stopped Embarrassing Themselves at Tech Hearings (Slate Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Nuisance-level DDoS and cyber espionage continue to mark Russia's cyber campaign in the hybrid war.
There's a U.S. presidential memorandum on software supply chain security.
Webworm repurposes older rats.
Trends in cyber insurance claims.
Origin Logger may be the new agent Tesla.
The sparkling goblin APT has been described.
Matthew Gorge of Vigitrust describes cyber vulnerabilities in the hospitality industry.
Dinah Davis from Arctic Wolf explains a PayPal phishing attack.
And Royal Funeral Fish Pay.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 15, 2022. Killnet, the nominally hacktivist outfit that works for Russian intelligence services,
counted coup against Japan recently, another country Moscow views as unfriendly.
The group claimed last week to be responsible for distributed denial of service attacks
against some Japanese government websites, Asia News Network reports.
The attacks had only minor effects on their targets. This morning, researchers with Cisco's Talos Group reported
that Gamerodon, that is Primitive Bear, has continued its efforts to compromise Ukrainian
institutions in a long-running cyber espionage campaign. The technique is phishing and the fish bait is news about the war.
Talos says, we discovered Gamerodon APT activity targeting users in Ukraine with malicious LNK
files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed
as recently as August 2022, aims to deliver information stealing malware
to ukrainian victim machines and makes heavy use of multiple modular powershell and vb script scripts
as part of the infection chain the infostealer is a dual-purpose malware that includes capabilities
for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.
As sanctions continue to bite,
there's a real possibility that Russian cyber operators will turn to industrial espionage,
the record says, as they attempt to regain access to technology now denied them.
In this, they would appear to be following the North Korean model,
where making money for the state has long been a central goal of offensive cyber operations.
Yesterday, the White House issued guidance for federal agencies' use of software security practices.
The memorandum instructs agencies to obtain self-attestation from software providers
that their products are in line with NIST's security guidelines.
It's advisory and not strongly prescriptive,
and some industry observers think it's a further step in presenting best practices.
The Symantec Threat Hunter team has released a report detailing the activities of a group they're calling WebWorm.
WebWorm uses three older remote-access Trojan rats, Trochilus, Ghost Rat, and 9002 Rat.
WebWorm is probably connected with the group identified as Space Pirates, perhaps even being the same group.
perhaps even being the same group.
The group has been active since 2017 and has been seen targeting government agencies as well as enterprises and industries such as IT services, aerospace, and electric power,
specifically targeting Russia, Georgia, Mongolia, and other Asian countries.
Symantec researchers identified an indicator of compromise from observing an operation
targeting an IT provider that serves multiple Asian countries.
Prior research had determined that the threat actor uses custom loaders hidden behind decoy documents and modified back doors that have been around for quite some time, which Symantec says is in line with what they've been seeing.
which Symantec says is in line with what they've been seeing.
The Trochilus RAT is implemented in C++ and has been observed in use by hackers since 2015
with a source code available on GitHub.
Symantec says that the capabilities of the Trojan include
the ability to remotely uninstall a file manager
and the ability to download, upload, and execute files, among other
things. The 9002 RAT has been around since at least 2009, with state-sponsored threat actors
often being users of the malware. The Trojan is used for data exfiltration and has been seen in
use by multiple threat actors. The Ghost RAT's source code has been around since 2008 and has seen continued use by advanced persistent threat groups.
Fill out your scorecards at home.
Security and insurance firm Coalition has released a mid-year update to its 2022 cyber claims report
and details what claims for cyber losses show with respect to the evolution of cyber trends.
Small businesses were found to have become more attractive targets, with the average claim cost
for a small business rising to $139,000 in the first half of 2022. This represents a 58%
increase over claims for the first half of 2021. The number of ransomware attacks decreased,
however, and the dollar amount demanded by ransomware threat actors has also decreased
from $1.37 million in the second half of 2021 to $896,000 in the first half of 2022.
Chris Hendricks, Coalition's head of incident response, said,
Organizations are increasingly aware of the threat ransomware poses. They have started to
implement controls, such as offline data backups, that allow them to refuse to pay the ransom and
restore operations through other means. As ransomware is on the decline, attackers are
turning to reliable methods. Phishing, for example,
has skyrocketed and only continues to grow. Phishing attacks have accounted for just over
half of reported claims, Coalition says, and they have been found to be the most common trigger for
cybersecurity incidents. Palo Alto Network's Unit 42 has released a report detailing OriginLogger.
On March 4, 2019, well-known keylogger AgentTesla shut down,
but not without first recommending in its Discord server another keylogger known as OriginLogger,
saying,
If you want to see a powerful software like AgentTesla, we would like to suggest OriginLogger.
OriginLogger is an AT-based software and has all the features. Origin Logger is a variant of Agent Tesla,
sometimes tagged as Agent Tesla Version 3, which means that tools meant to detect Agent Tesla
should also detect Origin Logger. Jeff White, writer of the report and a researcher at Unit 42,
says the functionality of the malware is fairly standard and mirrors other agent Tesla variants.
White said, just as the threat actors' advertisements state, the malware uses tried
and true methods and includes the ability to keylog, steal credentials, take screenshots,
download additional payloads,
upload your data in a myriad of ways, and attempt to avoid detection.
Commercial keyloggers have historically catered to less advanced attackers,
but as illustrated in the initial lure document analyzed here,
this does not make attackers any less capable of using multiple hooks and services
to obfuscate and
make analysis more complicated. Commercial keyloggers should be treated with equal amounts
of caution, as would be used with any malware. Researchers at ESET warn that the Chinese APT
Sparkling Goblin is using a new Linux variant of its Sidewalk malware. ESET states,
This variant was deployed against a Hong Kong university in February 2021,
the same university that had already been targeted by Sparkling Goblin
during the student protests in May 2020.
We originally named this backdoor Stage Client,
but now refer to it simply as Sidewalk Linux.
We also discovered that a previously known
Linux backdoor, the Spectre RAT first documented by 360NetLab, is also actually a Sidewalk Linux
variant, having multiple commonalities with the samples we identified. The researchers add that
the Linux variant of the malware isn't as evasive as its Windows counterparts, stating,
The Windows variant of Sidewalk goes to great lengths to conceal the objectives of its code.
It trimmed out all data and code that was unnecessary for its execution and encrypted the rest.
On the other hand, the Linux variants contain symbols and leave some unique authentication keys and other artifacts unencrypted,
which makes the detection and analysis significantly easier.
The name Sparkling Goblin sounds pretty festive, but still, it's bad mojo.
As is usually the case with any high-profile event that touches many people,
the funeral of Queen Elizabeth II has been exploited by criminals
who are using it for fish bait. In a tweeted series of posts, Proofpoint describes a credential
phishing campaign in which messages that misrepresent themselves as coming from Microsoft
invite recipients to visit an artificial technology hub established in Her Majesty's honor. The URL redirects to a credential
harvesting site. The threat actors are using the evil proxy phishing kit. Not to be outdone by the
Senate Judiciary Committee having heard from Mudge, the Senate Homeland Security Committee has heard
from a range of present and former executives at Twitter, Facebook, TikTok, and
other social media platforms. We're watching to see how things develop, but in the meantime,
did we say yesterday by mistake that Senator Klobuchar was from Michigan? We think we may
have, and we blame the editors. An alert listener from the land of 10,000 lakes, the North Star
state of Minnesota, pointed out that we'd slipped.
And of course, that's right. Senator Klobuchar represents the sovereign state of Minnesota,
and our apologies to her and the entire gopher state. We blame, as I said, editorial carelessness.
Our political desk is fine with states whose names begin with M-A, like Maine and Maryland,
whose names begin with M-A, like Maine and Maryland.
But they get hazy when they leave the eastern seaboard for the M-I states like Michigan, Minnesota, Missouri, Mississippi.
Too many garden staters on that desk.
Forget about it.
Coming up after the break,
Mathieu Gorge of Vigitrust describes cyber vulnerabilities in the hospitality industry.
Dinah Davis from Arctic Wolf explains a PayPal phishing attack.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
We rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting. Thank you. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The hospitality industry seems to have a target on its back lately, with news stories of hotel chains and resorts falling victim to a variety of cyber attacks and data breaches.
Matthew Gorge is founder and CEO of Vigitrust, an integrated risk management SaaS provider.
I reached out to him for insights on the particular challenges organizations in the hospitality sector face.
Hotel chains obviously have employees, so they've got employee data, they've got trade secrets and so on.
They've got banking information for their suppliers, they've got a list of suppliers.
From a consumer perspective, when you go into a hotel, you can expect to provide some sort of ID, so PII, a credit card,
so credit card holder data. And let's say that you're going to use the spa or you're going to
use any type of other service, you may even provide some protected health information.
So part of the major challenge for the hospitality industry is that some of the services within a hotel may actually be subcontracted
to someone else. For instance, the spa could be operated by a third party. Some of the restaurants
might be operated by a third party. The gym might be operated by a third party and so on.
But from a user perspective, what you want to be able to do is you want to be given one card or one app that allows you to roam about within the property and use all of the different services.
And so therein lies the challenge from a data perspective.
All of those systems need to be interconnected.
And so they are interdependent and become each other's weak points in terms of security.
So you need to secure the overall chain and the overall ecosystem and chain of custody.
The second challenge for the hospitality industry is that most large hotel chains operate on a mixed model where they have properties that they own and manage, property that they don't own but manage, and also properties that might be franchised out.
And then the third challenge is that there are some franchise operators
that will operate brand A, brand B, and brand C
in order to have a mix of properties within a certain region.
So they end up having to deal with loads of different systems,
dealing with the data.
But at the end of the day, they're responsible for the overall data.
I know you and your colleagues there at VigiTrust do a good amount of work within the hospitality sector.
What are the differences that you see between the hotel chains that are successful here,
but then at the other end of the spectrum, we have some chains that are successful here,
but then at the other end of the spectrum,
we have some chains, even big ones, well-known ones,
and we keep seeing their names pop up over and over again as having been breached.
One of the characteristics of the property market
within the hospitality industry
is that there's a lot of buying and selling.
So you might have a chain that one day will belong to Hilton,
one day will belong to Accor, and then will move to Marriott, for instance.
So they keep buying stuff from each other,
depending on their regional strategies and other criteria that they may have.
The problem comes within the integration of what they buy and what they sell
into the overall security strategy
because the systems, particularly the main system,
the PMS, might be different.
The payment terminals might be different.
And the overall security strategy
might be different from one brand to the other.
So what you want to do is you want a strategy that protects the data at global level, at
regional hub level, and then within each property.
And so the most successful chains are extremely careful when they sell a chain of hotel or a group of hotels, because what they do is
we make sure that no residual data can come back to hit them afterwards.
And they're even more careful when they integrate new properties with new systems.
And those integrations, you have to remember, could take months, maybe a couple of years.
you have to remember could take months, maybe a couple of years.
And there's been issues in the industry where a large chain bought a big group of hotels from another one
and there was a breach within that timeframe.
And that can happen, you know.
I think that the solution or the best practice for chains of hotels or for franchisors that have multiple properties across one brand or several brands is to really start by mapping the ecosystem and looking at the low-hanging fruit.
The low-hanging fruit in the hotel industry, in my humble opinion, is that you can use PCI DSS as the minimum standard of security you need to have
in your properties. And that gives you your very minimum benchmark. And none of it is
unachievable. It's all within the realms of reality for any company. And so the other quick
win is security awareness training. Security awareness training is mandated by GDPR, by CCPA, by PCI indeed,
for anybody that has access to sensitive data.
And then, based on that, you can create a very effective program
that allows you to essentially fight against social engineering attacks,
phishing attacks, and all of those low-level attacks that unfortunately end up being the root cause
of most of those breaches within the retail and the hospitality industry.
That's Mathieu Gorge from Vigitrust.
And I am pleased to welcome back to the show Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf, and she is also the
founder of Code Like a Girl. Dinah, great to have you back. You saw some interesting phishing attacks
mentioned of such that seem to be targeting PayPal here. Unpack what's going on here for us.
Yeah, this one was so interesting to me. I found it on a Twitter thread, and it's about a phishing email with PayPal.
And the user is OXDF.
I tried to figure out what that meant.
Like, I tried to do some, like, you know, figuring out with hackers and stuff.
Like, right, leak speak and all that stuff.
Yeah, I don't know.
But the person runs a blog called The Hack Box.
They're quite prolific on GitHub.
They have a whole profile there.
So they seem to be like potentially a legit researcher.
In any case, this is interesting and it looks like it could really happen.
So they got an email that appeared to be from PayPal.
And I have PayPal.
They've got screenshots in this Twitter thread.
It all looks pretty legit to me.
It's from the PayPal domain.
The email claimed to be an invoice update
and they're asking the user to pay $1,000 US
to the billing department of PayPal.
So specifically it says invoice updated.
Billing department of PayPal updated your invoice amount to do $ department of PayPal. So specifically it says invoice updated.
Billing department of PayPal updated your invoice amount to do $1,000 view and pay invoice.
So, wow, okay.
And then there's like a note
from the billing department there where you can call.
And there's urgency to this
because it says you need to log into PayPal
within 24 hours to avoid getting charged.
So you have to like click the link or the number and do it right away. And so the interesting part is when you
click the link, you're taken to a legit PayPal site. So that doesn't even compute. It's like,
how did this happen? What is going on here? Well, what's going on is another PayPal user
is asking them to pay $1,000, and they happen to manage to get the username
billing department of PayPal. Right? Okay, yeah. You're hearing me react to this in real time in both horror and admiration for the cleverness.
That's what I'm saying.
This is pretty clever.
Yeah.
And so, you know, yeah, so you actually do get paid.
Sorry.
You actually do get taken to a legit PayPal site. And, you know, at the top on
the right hand side is the pay $1,000. Now, if you scroll down a bit, it says it has itemized list of
what the items are. And the item is a Walmart e-gift card. And that should be where your flag
goes. What? Right, right. Like this, why am I paying somebody $1,000?
Like, why am I paying the PayPal billing department
for a $1,000 Walmart e-gift card, right?
So, okay, there is a tell here.
There is a tell, right?
The other thing is, you know,
they were able to get that.
Now, my guess is that that particular user has been shut down now.
And hopefully, maybe PayPal goes and looks at the usernames people are picking, and that's going to be a bit better.
But what's the lesson here?
So don't pay for anything on PayPal unless you know it's a legit transaction.
Anybody can send you an invoice.
It doesn't even need to be like this fake kind of user.
Anybody can send you an invoice on PayPal.
They just need your email address, right?
Right.
So always double check what it's coming in for.
Like even yesterday, before I read this,
I had one that was like,
Apple is charging you $16. I'm like, for what? I don't remember paying anything. And I had to go through my old emails,
find the receipt. Oh, I paid for Duolingo in Spanish for my daughter. Okay, so fine, good.
And then I could know that that was all right and that the
transaction was fine. But you got to do that research, right? Don't click on links in emails
ever. Don't call the phone numbers you get in the emails ever. And when I went to go and check
about my Apple receipt, I went to my Apple account and I went to my PayPal directly.
I didn't click any of the links in any of the emails.
I went and logged in myself and double-checked that things were there.
Another interesting thing, so to do that, maybe you would have typed in, you know, you
see this come in, you're like, oh, I want to go to my PayPal page.
And you type in PayPal in Google, maybe you don't remember the
whole URL, and it pulls up the responses. Do not click on the first Google searches that are ads,
ever, for anything. Because there's a lot of phishing that is happening just on those searches with the Google ads.
So somebody can create a fake PayPal site, and maybe the L is actually a one,
and they can pay for ads that pop it up to the top of the search results. And when you click on it,
it looks like you're going there. It feels like you searched it and did the right thing,
When you click on it, it looks like you're going there.
It feels like you searched it and did the right thing,
but you've now logged in someplace wrong.
So I never, ever, ever click the ads for anything.
I always go down below the ads, scroll past them, and then hit the first real link that is there.
So that's another little tidbit around this.
Yeah.
So that's another little tidbit around this.
Yeah. Do you suppose the folks who are behind this particular phishing attack, that they're just looking for the inattentiveness of an accounting department or something like that?
A hundred percent. That's totally true.
And these are really easy to create in PayPal because you just create an invoice.
You need a business account to be able to pull this off.
And I don't know what the hoops are that you have to go through to get a business account.
Maybe those need to be checked by PayPal
a little bit more closely.
But yeah, it's just creating an invoice
and being able to do something like this.
All right. Well, fascinating. Absolutely.
Dinah Davis, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. Thank you. in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.