CyberWire Daily - Phishing campaigns (one uses mobilization as phishbait). Credential-stuffing attack affects Norton LifeLock users. Trends in security. Azure SSRF issues fixed. Calls for a “digital UN.”
Episode Date: January 17, 2023A Phishing campaign impersonates DHL. Conscription and mobilization provide criminals with phishbait for Russian victims. Norton LifeLock advises customers that their accounts may have been compromise...d. Trends in data protection. Veracode's report on the state of software application security. Ben Yelin looks at NSO group’s attempt at state sovereignty. Ann Johnson from Afternoon Cyber Tea speaks with Microsoft’s Chris Young about the importance of the security ecosystem. And Ukraine calls for a "digital United Nations." For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/10 Selected reading. Cloud 9: Top Cloud Penetration Testing Tools (Bishop Fox) Our Top Favorite Fuzzer crowdsourcing pen testing tools (Bishop Fox) DHL Phishing Attack. Simply Delivered. (ArmorBlox) Credential phishing campaign impersonates DHL. (CyberWire) Phishing scam invites Russian Telegram users to check ‘conscription lists’ to see if they’ll be drafted in February (Meduza) NortonLifeLock warns that hackers breached Password Manager accounts (BleepingComputer) Norton LifeLock says thousands of customer accounts breached (TechCrunch). NortonLifeLock notifies thousands of users about compromised Password Manager accounts (Computing) Data Protection Trends Report 2023 (Veeam) Trends in data protection. (CyberWire) How Orca Found Server-Side Request Forgery (SSRF) Vulnerabilities in Four Different Azure Services (Orca Security) Orca describes four Azure vulnerabilities. (CyberWire) State Of Software Security (Veracode) A look at the state of software security. (CyberWire) Ukraine calls for ‘Cyber United Nations’ amid Russian attacks (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A phishing campaign impersonates DHL.
Conscription and mobilization provide criminals with fish bait for Russian victims.
Norton LifeLock advises customers that their accounts may have been compromised.
Trends in data protection.
Veracode's report on the state of software application security.
Ben Yellen looks at NSO Group's attempt at state sovereignty.
Anne Johnson from Afternoon Cyber Tea speaks with Microsoft's Chris Young
about the importance of the security ecosystem.
And Ukraine calls for a digital United Nations.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 17th, 2023.
Happy Tuesday, everyone.
Good to have you along with us here again today.
Armor Blocks describes a phishing campaign that's using phony shipping invoices that purport to come from DHL.
The campaign targeted an organization in the education sector with more than 100,000 emails.
with more than 100,000 emails.
The fishhook in the email is contained in an Excel document which, when opened, will display a blurred-out preview of an invoice.
The user will then be asked to enter their Microsoft account login credentials
in order to view the invoice.
The researchers note that the emails were able to bypass email security filters
since they don't contain any malicious links.
The general approach is familiar.
First, impersonate a well-known and trusted brand
using a convincing copy of that brand's logo and other branding elements.
Second, use a single, simple call to action
that's likely to involve something the recipient will care about,
payment issues, account suspension, or in this case, getting that parcel you were expecting. It's easy, as the
world watches Russia's hybrid war in Ukraine, and in the narrower cyber phases of that war, to see
the contribution criminal gangs are making as auxiliaries of Russia's intelligence and security services,
to forget that more ordinary cybercrime persists, and moreover, Russians themselves can also be its victim.
TASS reports, citing information provided by Kaspersky,
that criminals are using Russian mobilization and conscription plans as an occasion for social
engineering attacks against Russian victims. The goal appears to be theft of telegram accounts.
The report states, scammers steal telegram user accounts using a phishing mailing list
with an offer to get acquainted with a fake list of people who will allegedly be sent for mobilization on February 1st through the 3rd,
2023, the channel specifies. If the mark follows the link, they'll be directed to a credential
theft site. As Meduza's coverage in its English language edition suggests, the emotions being
exploited are anxiety, worry, and fear. The phishing message is promised to send you to a site
that will let you know whether you or a loved one
is on the list of those scheduled to be summoned
for military service next month.
Norton LifeLock's corporate parent, GenDigital,
has warned some customers
that their accounts may have been compromised.
Bleeping Computer quotes GenDigital's letter
to customers as saying, our own systems were not compromised. Bleeping Computer quotes GenDigital's letter to customers as saying,
our own systems were not compromised. However, we strongly believe that an unauthorized third
party knows and has utilized your username and password for your account. The incident appears
to have been the result of a credential stuffing campaign detected in mid-December when an unusually
large volume of failed logins were detected on the 12th.
Norton LifeLock warns,
In accessing your account with your username and password,
the unauthorized third party may have viewed your first name, last name, phone number, and mailing address.
In a Saturday update provided to Bleeping Computer,
GenDigital said it was alerting customers to suspicious
login attempts and helping them secure their accounts, stating,
Gen's family of brands offers products and services to approximately 500 million users.
We have secured 925,000 inactive and active accounts that may have been targeted by
credential stuffing attacks. This is the second incident involving identity and access management services to come to light this month,
the first being issues affecting LastPass users.
The benefits of using a password manager remain, but they're not a panacea,
and they have to be used with proper care.
Secure backup and recovery provider Veeam released their 2023 Data Protection Trends
Report this morning, which surveyed 4,200 IT professionals on data protection drivers,
challenges, and strategies. Hybrid IT remains common, balancing physical servers in data
centers and cloud-hosted servers. Ransomware has been a pervasive issue that will continue steadily into 2023,
and increasingly data security is cloud security.
Cloud dependence continues to grow,
with 80% anticipating the use of backup-as-a-service
or disaster recovery-as-a-service for server protection over the next two years.
as a service for server protection over the next two years.
Researchers at Orca Security discovered four server-side request forgery vulnerabilities affecting Microsoft Azure instances, two of which could be exploited without authentication.
Microsoft has since patched the flaws.
The affected services were Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
All four of the flaws were non-blind SSRF vulnerabilities,
which could allow an attacker to scan local ports, find new services, endpoints, and files,
providing valuable information on possibly vulnerable servers and services to exploit for initial entry
and the location of potential information to target. Veracode has published a report on
software application security, finding that 69% of applications have at least one OWASP top 10 flaw,
around four out of five programs written in.NET and Java have at least one flaw,
while just over half of JavaScript applications contain a flaw.
Finally, Ukraine is calling for the formation of a Digital United Nations.
Yuri Shchiyol, who leads Ukraine's State Service of Special Communications and Information Protection,
Service of Special Communications and Information Protection, told Politico,
We need the Cyber United Nations, Nations United in Cyberspace, in order to protect ourselves,
effectively protect our world for the future, the cyber world and our real conventional world. What we really need in this situation is a hub or a venue where we can exchange information,
support each other and interact. The goal of such an organization would be international threat information sharing
and preparation to withstand cyberattacks.
The metaphor is probably wayward.
The United Nations, after all, seeks to include all states,
and the proposed organization would of necessity leave those who are bad actors out.
And make no mistake about it,
Russia, Ukraine is looking at you, and so are the members of NATO and any number of other countries.
The proposal really represents a gesture in the direction of an alliance than it does a comprehensive global association. In any case, international threats would seem to call for
some form of international cooperative defense.
Coming up after the break, Ben Yellen looks at NSO Group's attempt at state sovereignty.
Anne Johnson from Afternoon Cyber Tea speaks with Microsoft's Chris Young about the importance of the security ecosystem.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
Microsoft's Anne Johnson is host of the Afternoon Cyber Tea podcast.
And on a recent episode, she spoke with Microsoft's Chris Young
about the importance of the security ecosystem. Here's part of that conversation.
Speaking of partnerships, let's go to our core job at what you and I do daily. So you have this
really large remit where you think about business development, you're thinking about the company
strategy all up, and of course, you lead,, you lead the ventures team with Michelle Gonzalez.
But I want to focus for just a minute about ecosystem
and why you think ecosystem is important,
even for a company like Microsoft.
And why do you think it's so important
for the security ecosystem to exist
and help our customers and our partners?
No company can solve all the problems themselves.
You know, number one, I think that's true in any space.
I think it's especially true in security.
Like nobody's got 100% of the solution,
partially just because, you know,
security is a living, breathing problem.
It changes all the time.
It changes faster, I'd argue,
than other elements of the technology landscape.
And that's one of the reasons why ecosystem work is super critical to security.
Because as much as we can do at Microsoft, you know, we have a lot of great products and a lot of great solutions that we apply to helping our customers solve some of their thorniest cyber challenges.
their thorniest cyber challenges, we don't cover the entire landscape, every use case,
every platform, every threat mitigation technique.
And so ecosystems are critically important because there are a lot of great companies out there that can help us cover the use cases that are most important to our customers and therefore the
ecosystem creation and the orchestration of the ecosystem in ways that makes it come together
in service of the customer's need, which is ultimately to deliver their business or deliver
their outcomes in a secure, efficient, effective way. That's really what's most important. And as you
point out, Anne, that's such a huge part of our role inside of Microsoft is to be the orchestrator
of these ecosystems, to bring companies together from outside of Microsoft with all the great
people here inside of Microsoft who are trying to solve these problems on behalf of our customers
and then to help our customers get the most
out of the ecosystems themselves.
It's hard, right?
Because we all know some of the classic challenges
that people face in cyber.
A lot of vendors, a lot of stitched together solutions.
Part of our goal in these ecosystem programs
is to make it feel more seamless, to take some of the burden off of our customers so they don't have to do all the heavy lifting of bringing together some of the different solutions they need to ultimately solve their problems.
So why is it your view that it's so important to have this vibrant security startup community?
Startups are, they're the lifeblood, I think, of our industry. I think
that's true in broader tech. And they're also, it's also true if you double click down into
cybersecurity. And the reason is they move us forward. Here's a good example. I talk about this,
I talk about this all the time, which is, you know, if I think about just take endpoint security.
Until companies like Silance and CrowdStrike came along, a lot of the endpoint security industry was, it was AV signature based.
And in today's world, we've all moved on.
Why?
Because innovation happened.
It didn't happen in the big companies.
It happened in the startup landscape. It happened to be a bunch of McAfee alums that went out and did it. You could argue about, you know, the outcomes of the companies. You know, obviously CrowdStrike
has done really well. We don't see Silance as much anymore. They're part of BlackBerry.
But they push the industry forward in a unique way. and I think we're all better off for it.
You can hear the rest of this conversation along with all of the episodes of Afternoon Cyber Tea on our website, thecyberwire.com, or wherever you get your podcasts. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Welcome back, Ben.
Thank you for having me, Dave.
So article over on the IEE Podcast. Welcome back, Ben. Thank you for having me, Dave. So, article over on the IEEE Spectrum website,
and this is about a class action suit
that's being brought against GitHub Copilot
and their parent company, Microsoft,
about these claims that these AI engines
are basically pirating open source software.
What do you make of this, Ben?
So this is really fascinating.
We have an issue here that I think is novel and extremely complicated.
So Copilot, as probably most of our listeners would know,
is an AI pair programmer for software developers.
It suggests code in real time. But the input is, at least as alleged here, copyrighted material.
Somebody has actually developed the code that goes into the system
that leads to co-pilots spitting out suggested code.
This is open source software as well.
So obviously the vision of open source is that anybody can use it and access it.
But there are individuals, and that's the nature of this lawsuit,
who think that their own creative work in developing these lines of code
is being used without attribution.
And eventually, if somebody uses the output from Copilot to make a profit,
that's going to be a violation of our intellectual
property laws. There's another side to this story though, and I think that's best articulated by
Kit Walsh, a staff attorney at the Electronic Frontier Foundation. And Kit argues that training
copilot on public repositories is fair use. Fair use allows for the analytical use of copyrighted
work. So for academic purposes, for learning purposes, the question here is whether this
counts as fair use under our intellectual property laws. What Kit is saying is that
Copilot is ingesting code and creating associations in its own neural net about
what tends to follow and appear in what
contexts. And that is sort of doing analytical, that's the equivalent of doing analytical work
on somebody else's copyright protected material. Really, this could boil down to how much
Copilot is reproducing from any given iota, any element of the training data that was used as
input. And that's something that's somewhat metaphysical. We might not know exactly how
much of the suggested code comes from a distinct piece of data that somebody else's copyrighted
work. So this is a really complicated issue. I'm not sure we're going to get a satisfying
resolution for a long time.
But I can understand why people who have poured their heart and mind into developing lines of code would be upset by it being used potentially to profit somebody else without attribution.
Yeah.
It strikes me that at the core of this is whether or not an AI system can express creativity.
is whether or not an AI system can express creativity.
And if you're able to input things and it's able to come up with novel solutions
based on inspiration from other people's work,
to me, that's new work.
As opposed to just cutting and pasting some lines of code.
That seems pretty clear-cut to me.
Right.
If you find some code that you had put in your book about programming in whatever language,
and the AI takes it and just pastes it in there and doesn't even change any of the variables,
well, we've got an issue here.
But if the AI is inspired by the code you write, as you say, that's a lot fuzzier in my mind.
And can an AI even be inspired?
Is that a thing?
Right.
Because unlike us, you know, you used an example on Caveat where we talked about this as well,
of going to an art museum, being inspired by Picasso or whomever,
and going home and coming up with your own painting inspired by his work, even though it's unattributed.
Right.
And that's a really interesting metaphor,
but in that case, you're using your own creativity.
You are using the contents of your own mind
to turn the inspiration from somebody else
into your own distinct creative work.
And is that happening with artificial intelligence?
It's a hard question to answer.
Can a computer have creativity?
Or are they just digesting pieces of information and spitting them out algorithmically?
It's something that I don't think is clearly answerable.
Well, I think we all need to go back and watch the
Star Trek The Next Generation episode,
Measure of a Man, where Lieutenant
Commander Data is
put on trial as to
whether or not, as a computer,
he has the rights of a
human being. I think it's all pretty well laid out.
Maybe you and I can turn that into like a one-act
play where we just do that scene and we have attorneys on each side arguing the best arguments on behalf of their clients.
I sense that's a good creative work in our future.
All right.
Well, this one, more to come for sure as this develops, and I find it fascinating.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you.