CyberWire Daily - Notes on the C2C market. A new cyberespionage threat actor has surfaced. Sharkbot made a brief return to Google Play. Privateering and catphishing in the hybrid war.
Episode Date: September 6, 2022A Phishing-as-a-service offering on the dark web bypasses MFA. The Worok cyberespionage group is active in Central Asia and the Middle East. Prynt Stealer and the evolution of commodity malware. Shark...bot malware reemerged in Google Play. BlackCat/ALPHV claims credit for attack on the Italian energy sector. Joe Carrigan shares stats on social engineering. Our guest is Angela Redmond from BARR Advisory with six cybersecurity KPIs. And the Los Angeles Unified School District was hit with ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/171 Selected reading. EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web (Resecurity) Worok: The big picture (WeLiveSecurity)Â Dev backdoors own malware to steal data from other hackers (BleepingComputer)Â The Prynt Stealer malware contains a secret backdoor. Crooks steal data from other cybercriminals (Security Affairs) Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (The Hacker News) SharkBot malware sneaks back on Google Play to steal your logins (BleepingComputer)Â BlackCat ransomware claims attack on Italian energy agency (BleepingComputer) 11.84GB of United States Military Contractor and Military Reserve data has been leaked. (vx-underground) Hackers honeytrap Russian troops into sharing location, base bombed: Report (Newsweek)Â LAUSD hit by hackers in apparent cyber attack (FOX 11 Los Angeles) Los Angeles Unified Targeted by Ransomware Atta (Los Angeles Unified School District) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Now, phishing as a service offering on the dark web bypasses MFA.
The WoWRock cyber espionage group is active in Central Asia and the Middle East.
Print Stealer and the evolution of commodity malware.
SharkBot malware re-emerged in Google Play.
Black Cat and AlfV claim credit for an attack on the Italian energy sector.
Joe Kerrigan shares stats on social engineering.
Our guest is Angela Redman from Bar Advisory with six cybersecurity KPIs.
And the Los Angeles Unified School District was hit with ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 6th, 2022. Yesterday, researchers at security firm ReSecurity reported an interesting discovery in the criminal-to-criminal market.
They found a new C2C offering called either Evil Proxy or Moloch that sells fishing as a service.
And we note in passing that the hoods are growing increasingly direct and literal in the way they name their wares.
Evil Proxy is interesting in that it shows some ability to bypass multi-factor authentication.
It's a commodity service, but an advanced one. underground service like Evil Proxy enables threat actors to attack users with enabled MFA
on the largest scale without the need to hack upstream services. That is, it represents a more
direct mode of attack than the recent Twilion compromise did. It also represents an advance
in criminal capability. Reverse proxy and cookie injection attacks have been seen before as ways of evading multi-factor authentication but hitherto it had been
state directed intelligence services who'd been observed using these
techniques the methods are now being made available to criminals
security firm ESET has released research into a threat group it's calling WOROC.
They characterize it as sophisticated, and while sophisticated, it is thrown around a lot.
In this case, ESET uses it with some justice.
They say, WOROC is a cyber espionage group that develops its own tools,
as well as leveraging existing tools to compromise its targets.
The motive is espionage.
Stealing information from their victims is what they believe the operators are after
because they focus on high-profile entities in Asia and Africa,
targeting various sectors, both private and public,
but with a specific emphasis on government entities.
It's unclear whom WOROC is working for,
despite some circumstantial overlap with other groups, some of them associated with Beijing. ESET says, activity times and tool set
indicate possible ties with TA428, but we make this assessment with low confidence.
Their custom tool set includes two loaders, one in C++ and one in Csharp.net, and one PowerShell backdoor.
And ESET invites contributions from other researchers, saying,
While our visibility is limited, we hope that shedding light on this group will encourage other researchers to share information.
to share information.
Zscaler researchers report that PrintStealer,
an InfoStealer being traded in the C2C market,
turns out to have been designed to defraud the criminal customers who've bought and employed it.
The malware itself has been developed from open sources and legacy malware,
mostly AsyncRat and StormKitty.
Zscaler says,
Many parts of the PrintStealer code that have been borrowed mostly AsyncRat and StormKitty. Zscaler says,
AsyncRat gives PrintStealer a multifunctional remote access Trojan,
and StormKitty contributes the information stealer.
Code similarities suggest that print stealers' developers may also have been involved with World Wind and Dark Eye malware.
What the criminal customers don't count on getting with their purchase
is a backdoor the developers inserted to funnel the stolen information back to themselves.
Zscaler says the backdoor sends copies of victims' exfiltrated data gathered by
other threat actors to a private telegram chat monitored by the builder's developers.
While this untrustworthy behavior is nothing new in the world of cybercrime, the victim's data end
up in the hands of multiple threat actors, increasing the risks of one or more large-scale attacks to follow.
The bad faith is interesting, but not particularly surprising.
What's most striking about Print Stealer is the waypoint it marks in the continuing evolution of malware
into a poorly constructed but good-enough commodity suitable for operation
and even development by relatively unsophisticated threat actors.
NCC Group's Fox IT unit reports that SharkBot has resurfaced in an improved form,
versions 2 and 2.5, carried by two compromised apps that were made available in Google Play.
Mr. Phone Cleaner and Keel Heavy Mobile Security, the two compromised security apps between them, attracted some 60,000 downloads before being removed from Google Play.
The newer versions of SharkBot retain the malware's original functionality, including keylogging, SMS interception, overlay attacks that display a phishing site, and remote control over affected devices.
To these, version 2.5 adds a cookie stealer.
The operators have also expanded their targeting to include victims in Spain, Australia, Poland, Germany, the United States, and Austria.
The Black Cat Alf V ransomware privateers have claimed responsibility for an attack against Italian renewable energy provider GSE.
This is the most recent in a string of attacks against Western European energy sector targets, Fleeping Computer reports.
It had earlier hit Enespa, the largest energy company in Italy, with minimal effect on the utility's operation,
and has also claimed the attacks against natural gas pipeline and electrical grid operator Kreuz Luxembourg SA and the German oil supply company Oil Tanking. Black Cat Alfie is a Russian
gang widely believed to represent a rebranding of the Black Matter Dark Side group,
and so this seems to be a continuation of privateering in Russia's hybrid war.
VX Underground claims that someone is posting 11.84 gigabytes of United States military contractor and military reserve data. The data was acquired in a 2022 breach of databases in Puerto Rico,
and those who are advertising the data dump on Telegram say
they're making the data available in response to the atrocious acts
that U.S. has been involved with all these years
without regard for human lives.
It's unclear who's leaking, but VX Underground speculates,
we suspect the now-defunct Conti ransomware group is distributing United States military data they acquired when they breached Puerto Rico.
So those responsible might be a Conti successor, Conti alumni, or even a revenant Conti itself.
VX Underground is an online repository for malware, a not-for-profit that
collects malicious code. It's not a criminal organization, but rather a resource for researchers.
Social media continue to present an OPSEC challenge to Russian forces. Ukrainian operators
are said to be catfishing Russian soldiers using dating profiles to induce the lovelorn to reveal unit locations and other sensitive information.
It seems unlikely that targets could actually be developed in this way,
but target indicators certainly might.
A target is something you can shoot at.
A target indicator is something, roughly, that tells you where to look for something to shoot at.
In any case, there's an enduring lesson here.
Don't be a sucker on social media.
Shakespeare knew that.
As he wrote,
And finally, school's back in session, even if the big school district gets schooled with ransomware.
Details are sparse, but the Los Angeles Unified School District has disclosed a ransomware attack it discovered over the weekend.
School remains in session, and the district has called in lots of federal help, saying,
after the district contacted officials over the holiday weekend, the White
House brought together the Department of Education, the Federal Bureau of Investigation, and the
Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to provide
rapid incident response support to Los Angeles Unified, building on the immediate support by
local law enforcement agencies. At the district's request, agencies
marshaled significant resources to assess, protect, and advise Los Angeles Unified's response,
as well as future planned mitigation protocols. So, from Van Nuys to Canoga Park, from Northridge
to San Pedro, cheer your teacher up, Los Angeles kids, and bring a nice apple sometime this week.
After the break, Joe Kerrigan has the latest stats on social engineering,
and our guest, Angela Redman from Bar Advisory with six cybersecurity KPIs.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Security and compliance firm Bar Advisory recently released a white paper outlining
how business leaders can use key performance indicators, or KPIs, and scorecards to measure
and manage their organization's cybersecurity posture. Angela Redmond is director of Bar
Advisory's Cyber Risk Advisory practice. Starting kind of at a high level, cybersecurity KPIs
are a group of metrics that encompass a cybersecurity scorecard. And a cybersecurity
scorecard is really an evaluation and a collection of metrics that can be used to measure the overall
effectiveness of a cybersecurity program from a high level. So you can think of the scorecard
as a report card that gives users a snapshot into their organization's security
posture at any given time. And the scorecards themselves will have several KPIs, each of which
will provide a quantified measure against a predetermined cybersecurity indicator.
And when thinking about KPIs, you want to make sure that they are metrics that are digestible, actionable, and measurable.
So what does that mean? We can use an example. The number of open vulnerabilities is more of a
data point. It doesn't provide you with much insight alone. You probably need a little bit
more context to understand the pervasiveness of the issue. A better KPI could be the percentage of
vulnerabilities closed on time or the number of critical open vulnerabilities. It really all
depends on what matters to your organization. Well, do all of these get weighted equally? I mean,
is it fair to say each organization may prioritize different things?
Absolutely.
So what we like to say at Barr is think about what you would want to know if you were sitting on a beach away from your job.
You don't really want to know absolutely everything cybersecurity related at your organization because you're on vacation.
You want to enjoy yourself. You really want to focus on what truly matters and what can give you comfort to sleep at night.
Well, if we look at the list here, I mean, the six items, you have things like
things being unpatched, unknown devices on a network, open security incidents,
multi-factor authentication, users with privileged access,
and open risks from security assessments. It's a pretty comprehensive list here. Which ones,
if I were to prioritize, is that even something that it's fair to do?
It's absolutely fair to do, but you do need to remember that you need to see the whole picture of cybersecurity on your
scorecard. So you really want to focus on, you know, making not all of these in the list might
be applicable to your organization, but most of them probably are. How do you make sure that
you're not just, you know, sort of playing, I don't know, regulatory bingo here and checking
off things, but making sure that it actually has an impact on how the organization
handles things. Absolutely. That's very important. At Bar Advisory, we do audits, which sometimes can
be a little bit more of a check the box mindset for some of our clients. With cybersecurity scorecards
and KPIs, you really want to make sure that you have a conversation across your organization
on what truly matters. Focus on what you care about and what impacts your business.
What about translating this information to people throughout the organization? I would imagine
sharing this sort of information with an IT team or a security team, you're going to have to use
different language than you would, say, with the board of directors. Absolutely. You do want to make sure
that each individual KPI is assigned to one person. That's the person that's responsible
for owning it. But overall, the management team owns the scorecard itself. So the management team
is not necessarily going to want to care about every single KPI.
They just want to see how, they just want to get a pulse of how the organization is doing.
We recommend at Bar Advisory that organizations have periodic reporting to the board of directors,
but at more of a high level. What are your recommendations for organizations who want
to get started with this sort of thing? How do you set down this path? Absolutely. It's important
to make sure that you have multiple perspectives from your organization. So what matters to one
department could be critical, but they may be missing out on a key indicator that another
group is responsible for.
So when you're starting out putting together a scorecard,
you want to make sure that you have representation throughout the organization together to discuss what's critical.
And what about the frequency of taking these measurements? How do you establish that?
That can vary based on from organization to organization.
That can vary based on from organization to organization. We're not really assessing and evaluating how the KPI,
what purpose it's serving. We recommend at Bar Advisory at least twice a year
that the KPIs themselves are reviewed for relevance. That's Angela Redmond from Bar Advisory. Thank you. with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
It's a story we covered last week on the Cyber Wire.
This is a release from the folks over at NordVPN.
Survey results.
Written by Charles Whitmore, and it's titled,
How Widespread Are Social Engineering Attacks?
I want to swing back around to this and get your take on what's going on here, Joe.
What caught your eye?
Well, first off, I love when people do surveys.
That's interesting.
They surveyed 1,000 Americans to find out some information about social engineering attacks,
and they found that 84% of the people surveyed have experienced some kind of social engineering behavior,
some kind of social engineering behavior, some kind of social engineering attack. One of the telling things here is that only 46 percent
of the people surveyed have heard the term social engineering. And, you know, I am not a big fan of
the term because the first time I heard the term, I didn't think cybersecurity related stuff at all,
right? The first thing, the first time I hear the term, I think't think cybersecurity related stuff at all, right? The first thing, the first time I
hear the term, I think building a better society, right? Or attempting to build a better society.
Like intentionality and building communities, that sort of thing. Yeah.
That's what I think of. That was the first thing I thought of when I heard the term. And I said,
what does it mean in this context? And they said, oh, and, but the thing about it is it's a piece of jargon. And the value of jargon is that it quickly communicates a broad piece of information in two words, social engineering.
So while I don't like the term, it's the term of art that we have.
Right.
So I deal with it.
We're stuck with it now.
Right.
We're stuck with it.
Social engineering, the term is here to stay.
Yeah.
So social engineering is the vast array of techniques that bad guys use to get people to operate against their own interests.
And it's a lot easier than saying that than just to say social engineering, right?
All right.
Interesting that 84% of people have experienced these kind of attacks, like 48% have received suspicious emails with links or attachments.
Yeah.
I'll bet that's 48% of the people know that they received that.
I think that it's probably much higher than that.
I think these statistics are probably low.
Yeah.
Suspicious texts, 39% have received those.
37% have received pop-up advertisements that are difficult to close.
Yeah, I know.
Where's the X? Where's the X? Right. I want to know where the other 63% are browsing, because that's where I want to browse.
Yeah, right. Exactly. Here's a good one. 32% have received suspicious emails from someone
posing as an important person asking them to wire funds. Wow. 32%,
that's a third of the people surveyed have received impersonation scams. And the reason
that is so high, and I think that might be accurate because it's pretty easy to spot that.
But that's so high because it works. It works. When it works, it pays out big. Let's see, 26% have had a virus on their phone or computer,
and 19% have had malware on the device redirect them to a fake version of a website.
I've had, there is one incident I had early on in my career
where somebody got into my host file on my computer,
or somehow replaced the host file on my computer to stop me from going to Google. And I think it was when I installed some software that I got from a web browser.
This was years and years and years ago before I was even in the security field and very early in
my computer science. Yeah. My father fell victim to that once where his Google got replaced
by some other service that would show you ads. Yeah. Couldn't even go to Google because the
host file was directing me somewhere else. Wow. 36% have fallen victim to phishing emails.
I think that might be accurate. It might be higher than that, but it depends on what you mean by falling for phishing emails.
I've fallen for a phishing email, an impersonation-based phishing email.
I tell that story frequently on Hacking Humans about how embarrassed I was when I went downstairs ready to talk with my boss after responding to an email from some imposter and having somebody come out and go, that was a fake email.
It's so embarrassing.
You know, here I am, Joe Kerrigan,
cybersecurity expert,
falling victim to a phishing email.
Right.
But it happens to everybody.
Right.
Well, at least 36%. It can, yeah.
Right.
Interesting.
Interesting stats in here.
18% of people have had email accounts,
social media or financial accounts locked.
Because as a result, 14% have had personal login details like usernames and passwords stolen
or items paid for and not received, which is interesting.
11% of people who responded have been scammed into investing their money
by bogus promises of quick riches.
So 11% of people have admitted to going into some investment scam and losing money in the deal.
That's a lot.
That is a lot.
That's huge.
11% have also had their work details, login credentials stolen, which I think is also a lot.
I don't know how long, how far back in the, in the time horizon this is, but it's, it's interesting.
What do you suppose, I mean, these are, I find some of these statistics surprising.
Right. But what, how do you think we come at this? What's the, it sounds like to me,
a lot of this is awareness or lack of awareness. Yeah. I, I think you're right. The big,
the big issue is that people, a lot of people don't understand that, well, security is not on top of mind.
I have this theory about this, and this is just my speculation, right?
And it's that the rapid development of computer technology over the past couple of years, past couple of decades, let's say, right, has really, I mean, it's vastly different today
than it was 30 years ago.
So from a human perspective,
a lot of this stuff is a black box to people.
And people believe that computers are these magical boxes
or these technological marvels,
if you want to call it that, not magical boxes.
I don't want to seem like I'm belittling people, but they are technological marvels, if you want to call it that, not magical boxes. I don't want to seem like I'm belittling people, but they are technological marvels. But it seems that
people forget that on the other end of that communication channel may not be someone who is
everything they say they are. And the explosion of this availability of this kind of communication,
we've never had this before in human history.
Yeah.
Right?
It's all new.
So we're kind of working our way through that.
So really, we have to, as a species, come to understand what it is that we've created here, what this thing, the internet, is, you know?
Right.
And that not everybody on it is an honest and upright person.
And that when a computer says something, it only says that because a human told it to say that.
Right.
Right.
And that human may not be a good guy.
Yeah.
He may be a bad guy.
Yeah.
And I think that's important.
Everybody has to realize that.
Yeah.
And spread the word.
And spread the word.
Right.
All right.
Well, again, this is a report from the folks over at NordVPN.
Definitely some interesting stats there.
Worth a look?
Yeah, I love these articles with all the stats.
I probably bored your listeners through all the stats, but I'm like, ooh, stats.
All right.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.