CyberWire Daily - Notes on current cyber criminal campaigns. Will Exercise Cyber Flag show the way toward an expedition to the virtual shores of a metaphorical Tripoli?
Episode Date: June 24, 2021The ChaChi Trojan is out, about, and interested in educational institutions. Bogus free subscription cancellations figure in a social engineering campaign designed to get the victims to download Bazar...Loader. Ursnif is automating fraudulent bank transfers with Cerberus Android malware. The US Senate invites the Department of Defense to think of ransomware as analogous to piracy, and Defense says it’s thinking along those lines. And rest in peace, John McAfee. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/121 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Chachi Trojan is out, about, and interested in educational institutions.
Bogus free subscription cancellations figure in a social engineering campaign
designed to get the victims to download Bazaar Loader.
Ersniff is automating fraudulent bank transfers with Cerberus Android malware.
The U.S. Senate invites the Department of Defense to think of ransomware as analogous to piracy, and defense says it's thinking along those lines.
Ben Yellen looks at digital IDs on mobile devices.
Our guest is Brian Patton of Quest Software on shoring up your defenses against future threats.
And rest in peace, John McAfee.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, June 24th, 2021. BlackBerry researchers have been tracking a variant of the Golang remote-access Trojan.
They're calling the variant Chachi, and it's being used by operators of the PYSA ransomware.
Educational institutions have recently figured prominently among the gang's targets.
As Bleeping Computer observes, the RAT has been upgraded to include the obfuscation,
port forwarding, and DNS tunneling capabilities it formerly lacked.
Microsoft is tracking an active BazaCall campaign, ZDNet reports. Palo Alto Network's last month described how BazaCall backdoors
vulnerable Windows systems with BazaLoader malware. A note on naming. Microsoft's tweets
have called the campaign and the malware BazaCall and BazaLoader, respectively. Most others call
the campaign and the malware BazaCall and BazaLoader. Either way, they're the same threat.
The BazaarCall operators use, in effect, a call center as a major link in their social engineering
chain. The scam begins with a phishing email telling the recipient that their free trial
subscription to some service is about to expire, and that unless they call a number to cancel it,
they'll automatically be enrolled in
and, of course, charged for the subscription. The examples of emails Microsoft shares screenshots
in their tweets are patently bogus. Zoner photo and prepare cooking are the two examples of fish
bait they give. The names are close to those of legitimate services, who of course have no relation whatsoever to the Fishers.
Should you be persuaded to call, the operator, who's of course standing by,
will direct you to a site where you're supposed to download an Excel file you can use, the operator says,
to cancel your subscription or decline the upgrade to a premium service, and so on.
Should you be incautious enough, trusting enough to follow the operator's instructions,
you'll be directed to a site that offers an Excel file, as promised,
but one with malicious macros designed to deliver the payload.
That payload has been Bizarre Loader.
More recently, Microsoft says the gang has been using Cobalt Strike to steal credentials,
including the victim's Active Directory database, and exfiltrate data via rClone.
The campaign is tough to stop by technical means, Microsoft observes.
The initial email contains no links and no attachments,
which are the customary items that trip warnings.
IBM has found a variant of the Ersniff banking trojan using Cerberus Android
malware to help automate fraudulent bank transfers. One of Cerberus' main roles in the attack is to
receive two-factor authentication codes sent by banks to their users when account updates and
money transfer transactions are being confirmed in real time. The new variant has been most often
seen in Italy. The Social reports that U.S. Deputy Assistant Secretary of Defense for Cyber Policy
Mikaye Weyang yesterday told the Senate Armed Forces Subcommittee on Cyber that despite
complications involving international law, the history of piracy suppression holds valuable lessons for dealing with current ransomware attacks.
She seems to have the Barbary pirates in mind, tolerated and encouraged by Tripolitan authorities,
and not the legal combatants who sailed under letters of mark and reprisal.
But to go to the virtual shores of a metaphorical Tripoli is no longer as directly straightforward as sending in Captain Decatur with a file of Marines.
Senator Mike Rounds, Republican of South Dakota, framed the discussion with a brief historical excursion.
Quote,
very clear that when pirates would attack shipping that was vital to the United States,
we actually created the Marine Corps, in a way, to actually go on out and find these private citizens who were acting as pirates, and we basically took them out, even though they had
found a safe harbor in other sovereign countries. In doing so, we extended and recognized that the
defense of our country included the defense of our assets, end quote.
And of course, this was done in cases like the Tripolitan Expedition.
Senator Rounds concluded, quote,
I think it still holds true with regards to cyber attacks, and I think the Department of Defense clearly has a role to play in extending and in protecting,
and I think most citizens of the country believe that if someone from out of the country is going to attack us,
either critical infrastructure or in the case of ransomware,
if there is a way for our Department of Defense to either stop the incoming attacks
or to respond accordingly outside of our country to those incoming attacks,
would seem to be appropriate to do so.
Recognizing that this is not normal, just stealing of information and espionage.
This is a demand for payment, or this is a direct attack on property within the United
States, end quote.
The deputy assistant secretary said she appreciated the senator's analogy, quote, because I've
actually been thinking a lot about the development of international law and piracy as it relates
to cybersecurity, and I think it's a very instructive one for us as a nation. One of the challenges that we saw
with piracy is that territories at that time were either unwilling or unable to do anything about
the threats that emanated from their territory. And I think this is a very important question
for us to be asking now, as we see the cyber actors who are operating outside the United States. There are two possible cases, she said.
The threat actors may be operating from territory the host nation is unable to control,
and the remedy in that case would lie in diplomacy, cooperation, and capacity building.
Or they might be operating, as the Barbary pirates did, at the sufferance of a host
government, and that's a very different matter, a diplomatic challenge and a national security
challenge, as she put it. In such cases, and Russia is the unnamed obvious case, it's necessary to
make it clear to such governments, quote, that they have a choice to make about whether or not
they are willing to do anything about this, and that they will be held accountable for being unwilling to do so.
How to hold them accountable is, of course, the big problem.
Tell it to the Marines, to be sure, but America's Corps of Marines will be thinking through this analogy
in the context of the ways in which international law has evolved over the two centuries in which
Hassan Bey has been replaced by Vladimir Putin. And if you don't believe us that the Marines and
other services are mulling this sort of thing, read yesterday's Marine Corps Times, which has
a story on Cyber Flag 21-2, which is using Cyber Command's persistent cyber training environment in a joint and combined exercise designed not only to train,
but to help shape tactical doctrine.
This year's cyber flag scenario is set in a customarily fictitious location,
in this case a Pacific Allied Logistics Depot,
which has to contend with two distinct adversaries.
One is sophisticated and interested in disruption and denial.
The other is less advanced and concerned with theft of intellectual property and personal data.
By the way, our ordinance desk informs me that pronouncing it depot and not depo
will help you pass as a member of the ordinance corps in bars.
you pass as a member of the Ordnance Corps in bars.
The participants include more than 430 personnel and 17 teams from the U.S., the U.K., and Canada, from the National Guard, the U.S. House of Representatives, and the U.S. Postal
Service.
And finally, Reuters reports that commercial antivirus pioneer John McAfee died yesterday in a Barcelona jail, an apparent suicide.
Earlier that day, a Spanish court had ruled that McAfee would be extradited to the U.S., where he faced charges of tax evasion.
McAfee was 75 and is believed to have taken his life over the prospect of having to spend the rest of it in a U.S. federal prison.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Suppose you find yourself in the midst of that nightmare scenario. Word comes from your team
that your network has been compromised. How should you respond, both in the moment and
afterwards when things are back up and running? I checked in with Quest Software's principal
solutions consultant, Brian Patton, for his perspective. Well, I think there's an emotional
state that happens and people really are in a moment of disbelief and they can't really believe
that it's happening to them. I think that's a common problem. And then it's like, okay, what do I do next? What's the next
thing I need to be able to do? Is it impacting absolutely everybody? Or is it just affecting,
you know, a part of my network? I see. What sort of mistakes do you find people making in the heat
of the moment? I think a lot of it when you're doing a full disaster recovery is assuming that you were already covered.
Unfortunately, there's a lot of different vendors out there that have backup tools.
And if you're an executive, you probably think you're already covered.
But unbeknownst to a lot of different people, restoring active directory in your identity is a lot different than restoring data in a directory.
Yeah. All right. Well, let's say recovery happens
and you're back up and running. What now?
How do you go about making sure this doesn't happen again?
Having the different key information as to what happened so you understand
the attack that did happen
is absolutely vital. So hopefully all the different audit data as to what happened
wasn't encrypted as well. And hopefully you can salvage to figure it out. But now you're kind of
like, okay, what can we do to contain it? You know, what I've seen is some organizations,
they've been attacked, pay the ransom, for example, and they get attacked
again if they don't patch it up. So it's really important to put a control in place for whatever
vertical was that people did as far as that attack pattern. So this is where it's really
good to have an emphasis on how did this happen. So if it's a patch, you can patch it up, make sure
that doesn't happen again. If it's due to the fact that people have more rights than they really needed, well, now we need to really fast forward our privilege account management strategies and work on reducing administrative privileges in your environment.
Yeah, it's interesting.
folks who are still kind of, I don't know, whistling past the graveyard and trying to rely on obscurity or security by obscurity, which I suppose you simply can't do anymore. You can,
but you shouldn't. I think it's people realizing that it hasn't happened to them yet. And it's not
real until it only does happen to them. You know, it's not a matter of if you're going to be attacked, it's a matter of
when you're going to be attacked. And if it does happen, make sure your backup files you have
aren't affected as well. We're seeing very commonly where attackers will go out there
and attack the backup files first and encrypt that different data. So whatever you can do,
whatever tools you're using, make sure you have an offline copy of your backups.
And even if you do have that with a third-party provider, figure out what the SLAs are to be able to get those different backups back. If it takes you three days to get a backup back from your
vendor, that SLA is probably not going to do you a lot of good. That's Brian Patton from Quest Software. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast. Hello, Ben.
Hello, Dave.
Interesting story from Wired. It's titled, Apple says it's time to digitize your ID, ready or not. This is written by Lily Hay Newman.
written by Lily Hay Newman. And really what this is about is that beginning with iOS 15,
which is coming out this fall, Apple's going to enable you to store your state ID inside your iOS device in your Apple wallet, which is Apple's digital version.
Your airline tickets, your Panera card, and all that fun stuff.
And the AmeriCard and... Yeah, all that stuff.
All that fun stuff, yep.
So this strikes me as being an interesting shift and perhaps a pivot point for this sort of thing.
What's your take on this, Ben?
It's really interesting.
Apple is ahead of the curve here because so far only a couple of states have authorized digital IDs.
states have authorized digital IDs. A few other states have tried to develop systems and have hired contractors to try and develop a system for having digital IDs. But digital IDs, particularly
when it relates specifically to driver's license, are still in their infancy. Even the states that
allow for digital identification still require you to carry a physical copy of your ID.
And now Apple is saying that at least when iOS 15 is released, the capability will exist
to store your ID digitally, and perhaps that will be the impetus for other states to introduce
digital IDs and maybe over the long term make the identification system exclusively digital,
although I think we're a very long time from that point.
There are a couple potential security concerns here.
You are required to or you are able to use biometric information
to unlock your phone to show your digital ID.
So if you're at the airport and you're getting screened by the TSA,
you need to show them your driver's license. It's really good as opposed to the physical license
that it can't just fall out of your pocket and somebody else can pick it up and use it as a fake
ID. The digital format allows it to be relatively secure. You'd need somebody's fingerprint,
format allows it to be relatively secure. You'd need somebody's fingerprint, you know, somebody's face ID, et cetera, to open it. Right. But that also presents its own risks because once you have
opened that device, that does potentially open the door for law enforcement to go snooping in
that device. It's been unlocked. And that could be a privacy concern for people who want to use digital IDs.
We also, there's just kind of a lack of transparency from Apple.
Even though they've indicated that this is going to be part of their iOS 15 release,
they haven't really identified any details.
We don't know whether they're going to follow some of the compliance standards
that have already been issued for digital IDs.
And I think a lot of the concerned parties here,
the Electronic Frontier Foundation being one of them,
is sort of withholding their support of digital IDs
until they can see what privacy and security features are included
and whether Apple is working directly with any states on pursuing
universal digital ID policies.
So that's kind of where I see where we are with this issue now.
It's certainly going to be something that if it's available is going to greatly improve
our convenience, particularly at places like airports. But I worry that, you know,
if you are stopped for a traffic stop, you hand law enforcement your phone and they tell you,
unlock this so I can see your driver's license. You give them your device.
They see some incriminating text messages. You know, that might be a problem for you.
So I think it's something that we have to watch out closely
what the details are here going forward.
Yeah, a couple things come to mind.
I mean, folks have pointed out that if they made this ID part of
something that was accessed from the lock screen,
so you could have the ID available without unlocking the phone,
that could be a good step to help with some of those things.
Right, although that would cut against one of the security benefits of it,
that if it were available on the lock screen,
then anybody could steal or pick up your phone and show that ID.
The other thing that I think is potentially interesting
and perhaps beneficial here is if the user had control
over the granularity of the information shared.
For example, I'm waiting in line to get into my favorite college bar.
Creep.
All right.
I'm waiting in line to get into my favorite age-appropriate bar.
There we go.
And that bouncer doesn't need to know my address, right?
The bouncer only needs to know that I am old enough to get into the bar.
Right.
Right?
And that you're you.
Right, exactly.
Perhaps the photo and the age, but they don't need to know your address or whether you are
an organ donor.
Certainly don't need to know my weight.
Oh, gosh.
Right. That's what's good about having an old license is that that weight is out of date. Right. I'm flattering myself with it. Yeah. Is this you? This looks like an old guy.
Yeah. Yeah. Yeah. So I think that could be a potential benefit here that you only
provide access to the information that's necessary in that transaction.
Yeah, we already do that with other uses of Apple Wallet. I mean, the information on the credit card
in your Apple Wallet isn't as complete as the information on an actual physical credit card,
for example. So, you know, if we could develop something like that where maybe as part of the lock screen, you are only showing a picture and somebody's age so that the rest of the information that's more proprietary is reserved for either an unlocked device or a physical copy of that ID.
I think that's something that could be potentially promising.
I mean I'm excited about it because potentially it means that there's fewer things to carry around when you're traveling.
So if I didn't know anything about the potential security concerns,
I think it would be something to be really excited about.
But I just think we have to keep our eye out for the specifics here.
Exactly what is Apple doing?
Who are they working with?
And are they using the standards that have already been developed?
All right, well, certainly it's something to keep an eye on,
but an interesting development either way.
Ben Yellen, thanks for joining us.
Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.