CyberWire Daily - PlugX is now wormable. Compromised webcams found. Emotet is back. AI builds a keylogger. Cyber in the hybrid war. BEC comes to productivity suites.
Episode Date: March 9, 2023A wormable version of the PlugX USB malware is found. Compromised webcams as a security threat. Emotet botnet out of hibernation. Proof-of-concept: AI used to generate polymorphic keylogger. Turning t...o alternatives as conventional tactics fail. Dave Bittner speaks with Eve Maler of ForgeRock to discuss how digital identity can help create a more secure connected car experience. Johannes Ullrich from SANS on configuring a proper time server infrastructure. And Phishing messages via legitimate Google notifications. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/46 Selected reading. A border-hopping PlugX USB worm takes its act on the road (Sophos News) BitSight identifies thousands of global organizations using insecure webcams and other IoT devices, finding many susceptible to eavesdropping (BitSight) Emotet malware attacks return after three-month break (BleepingComputer) BlackMamba: Using AI to Generate Polymorphic Malware (HYAS) Russian Cyberwar in Ukraine Stumbles Just Like Conventional One (Bloomberg) Australian official demands Russia bring criminal hackers ‘to heel’ (The Record by Recorded Future) Russia will have to rely on nukes, cyberattacks, and China since its military is being thrashed in Ukraine, US intel director says (Business Insider) BEC 3.0 - Legitimate Sites for Illegitimate Purposes  (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A warmable version of the PlugX USB malware is found.
Compromised webcams as a security threat.
Emotet botnet out of hibernation.
AI used to generate polymorphic keylogger.
Turning to alternatives as conventional tactics fail.
Dave Bittner speaks with Eve Mailer of Forgerock to discuss how digital identity can help create a more secure connected car experience.
Rock to discuss how digital identity can help create a more secure connected car experience.
Johannes Ulrich from SANS on configuring a proper time server infrastructure and phishing messages via legit Google notifications.
From the CyberWire studios at DataTribe, I'm Trey Hester filling in for Dave Bittner
with your CyberWire summary for Thursday, March 9th, 2023.
Sophos is tracking a new version of the PlugX USB Trojan.
The researchers say the novel aspect of this variant are a new payload and callbacks to a C2 server
previously thought to be only tenuously related to this worm.
PlugX is a known malware variant that can spread via USB sticks,
which can sometimes allow it to access air-gapped systems.
The malware is currently spreading in African countries, with infections observed in Ghana,
Zimbabwe, and Nigeria. The new variant was also observed in Papua New Guinea and Mongolia.
Sophos believes this campaign is linked to the Chinese APT Mustang Panda,
which has been known to use this malware in the past.
BitSight has published research finding that 1 in 12 BitSight-tracked organizations StingPanda, which has been known to use this malware in the past.
BitSight has published research finding that 1 in 12 BitSight-tracked organizations with internet-facing webcams or similar IoT devices are susceptible to video and or audio compromise.
The researchers were able to access cameras monitoring access-controlled spaces and, in
some cases, could have eavesdropped in sensitive business areas.
Quote, exposed devices in our analysis are either misconfigured or suffer from a software
vulnerability. The former could arise because the user failed to set a password, while the latter
is typically attributable to a specific kind of access control vulnerability called an insecure
direct object references vulnerability. Either way, the video audio feed should be protected by access control measures, but is not.
Therefore, the device's security controls can be bypassed,
allowing an attacker to view video feeds and or eavesdrop on conversations.
Sophisticated attackers could also potentially alter exposed feeds.
End quote.
Most of the exposed organizations are in the education sector,
and the researchers note that the increased presence of minors
at these educational organizations
could present additional challenges to personal privacy and security.
Emotet, long familiar on the cyber threat scene,
had gone relatively quiet, but it returned earlier this week.
Bleeping Computer writes that Emotet has been observed sending emails once again,
despite the effectiveness of Microsoft security in blunting Emotet attacks.
Cybersecurity firm Cofence reports that malicious activity from the Emotet malware family
was observed beginning again on Tuesday morning.
Cofence told Bleeping Computer that the campaign resumed at 7 a.m. Eastern Standard Time,
saying, quote,
Volume remains low at this time as they continue to rebuild and gather new credentials to leverage and address books to target, end quote.
The emails in the newer campaign purport to be invoices, rather than reply chain emails.
Inside the invoice attachment lies a document with Emotet's Red Dawn template that prompts users to enable content and editing.
If a user enables the editing, a slew of macros will download to the Emotet loader and allow it to run in the background.
This could potentially lead to more dropped payloads, researchers say.
Researchers at HIAS have developed a proof-of-concept strain of polymorphic malware that uses OpenAI's API to evade detection.
The malware, which the researchers call Black Mamba, is a keylogger delivered as an apparently
benign executable. Once executed, however, Black Mamba will reach out to OpenAI and request that
the AI generate keylogging code. Quote, it then executes the dynamically generated code within
the context of the benign program using Python's exec function, with the malicious polymorphic portion remaining totally in memory.
Every time Black Mamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic.
Black Mamba was tested against an industry-leading EDR, which will remain nameless many times, resulting in zero alerts or detections, end quote. The researchers can then exfiltrate
the captured data via legitimate communication and collaboration tools. The U.S. Director of
National Intelligence Avril Haines yesterday predicted to the Senate Intelligence Committee
that Russia could be expected to turn to alternative forms of military power as its conventional forces continue to fail on the battlefield. Quote, Russia will become even
more reliant on asymmetric options such as nuclear, cyber, space capabilities, and on China. End quote.
Such alternatives, especially cyber, have seen their own challenges. Bloomberg reviews again
the difficulty Russia has had mounting effective cyber offenses against Ukraine and Ukraine's allies. Some of this is due to deterrence,
but much of the failure is credited to effective Ukrainian defenses. There has also been evidence
of Russian inability to sustain focused cyber offensives over a period of time long enough to
have a decisive effect. It has, for example, proven more difficult than anticipated
for Russian services to maintain unity of effort in the criminal gangs they rely on as auxiliaries.
Some of those gangs, like Conti, splintered over Russia's war. That said, the gangs remain
important to Russia's cyber operations, and the governments of nations sympathetic to Ukraine
are not disposed to overlook gangland's close connections to Russia's intelligence and security And finally, Avanon warned this morning that an ongoing phishing campaign has abused comments in Google Workspace documents to target nearly a thousand companies over the past two weeks.
The researchers explain that an attacker can create a free Google account, then simply mention the targeted user in a Google Sheet.
The target will then receive a legitimate notification from Google
informing them that they've been mentioned in the document.
If the recipient clicks on the Google Scripts link included in the email,
they'll be redirected to a phony cryptocurrency site.
While the delivery technique is effective,
Avanon notes that the social engineering aspects of this particular campaign
could use some grammatical refinement. The message written by the scammer states,
Hello, dear users of the system. They wrote to you to the account the withdrawal of cash.
Nevertheless, you have not ordered a withdrawal. End quote. Avanon cautions, however, that users
should be on the lookout for more sophisticated campaigns using this technique. So stay alert, friends.
Coming up after the break, Dave Bittner speaks with Eve Mailer of Forgerock
to discuss how digital identity can help create a more secure connected car experience.
And Johannes Ulrich from SANS speaks on configuring a proper time server infrastructure.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
With consumers demanding connected cars that not only get us where we need to go,
but also seamlessly integrate with our digital lives, automakers are striving to strike that balance
between user experience and information security. Eve Mailer is CTO of identity and access management
software company ForgeRock. So McKinsey is predicting 95% of cars will be connected cars
shipping by 2030. Honestly, it's hard to find a car that doesn't come with a SIM card
these days. Yeah, you know, I like to joke that my favorite iPhone accessory is my car.
And I think that, you know, that reflects that we're really relying on our cars to interface
with our mobile devices. And indeed, I think it's a major consideration when folks are shopping for
cars these days. But what about the cars themselves when it comes to that interaction? How are they
treating our security and privacy? You know, there's still a gap, a pretty big gap, when cars
are looking at the security and privacy prospects. Part of it really is the API security. Cars have APIs now, and who's calling
those APIs? Oftentimes, we discover that they're not protected. And oftentimes, we discover that
the protection is a weak form. It's really weaker than we know to do when it comes to web security
these days. And honestly, any car with a browser window, which a lot of them have,
these days. And honestly, any car with a browser window, which a lot of them have,
is functioning as a very sophisticated mobile device.
Well, for folks who aren't familiar with how this works in the automotive world,
how are cars using APIs and how does that interact with our devices and then hit the rest of the real world? Yeah. So, you know, connected cars are giving us not just a way
to get from point A to point B, they are digitizing an experience. And, you know, I share
your kind of experience about, you know, having Apple CarPlay and iPhone integration being a
really big part of my driving. And so there's a lot of data feeds from oil levels to tire pressure as it changes as
you drive to music subscription services and car navigation services. So it's really a compendium
of different services that function very much like ordinary connected services function. They
have APIs. They need to be connected a lot of the time. And those APIs are called by
various client applications that are looking up information and feeding information back into the
driver's environment. And so the way that they should be secured is through some of the best
practices that we know now, where you use access tokens, using OAuth technology that can be
refreshed quite frequently. And in fact,
a lot of them are not secured in such a fashion, and they're using static secrets that function
like passwords. And we know that this is often leading to what I think of as identity theft
in the car API ecosystem, where if you get a compromised secret that functions like a
password, then anybody can interact with a car, make it do things that the driver really does
not want it to do, and that's quite dangerous. What are some of the specific concerns here?
Are we talking about, you know, location where people are traveling? What sort of things do we need to keep an eye out for here?
Well, it could amount to controlling the car's functions. If you have autonomous functions,
for example, what if those were taken over? It could replace known good data around navigation
with suspect data. So the classic challenges of cybersecurity around confidentiality and integrity and availability,
all of those things could be compromised. And they could result not just in, you know,
a digital security hole, they could result in personal safety risks.
I'm trying to imagine how something like this would work. I mean, can you describe for us,
is there some sort of,
I don't know, a future where we have some sort of onboarding with our new vehicle or every time we get in a car we haven't been in before? What do you envision? Yeah, actually, I mean, I've got a
pretty good beat on it because we work with a lot of the automotive OEMs who are looking to solve
problems like ensuring that a digital key for a car, which can often be your
phone, be shared with other people that you want to give the right to drive your car, for example.
And so the infrastructure that's needed to make that happen, it turns out to involve what might
look like classic identity and access management carefully orchestrated across environments like digital
mobile devices, the car itself, the person who, let's say, ordered the car. The car may not exist
yet. Believe it or not, that car has an identity and can be tracked oftentimes through the
manufacturer process and through the process of delivery to the new owner. So really, identity and identity relationships form a core part of the security strategy,
the privacy strategy, and really the digital experience strategy.
What about when you're ready to part ways with your vehicle?
We've heard stories about folks who sell a car and then the next owner has access to their personal information,
Folks who sell a car and then the next owner has access to their personal information or indeed someone sells a car and months later they still have access to remotely start the car or things like that.
Yes. You know, this is one of those, sometimes it's a little bit of a blind spot, even in enterprise security, the need to deprovision access, to change authorization policy, to disallow
certain actions. So, you know, one of the hardest problems is ensuring that you've got a really
clean picture of, let's say, off-boarding an employee who just left yesterday, and you don't
want them to get access to all of the resources they had access to before. It's much the same
proposition, only it needs to be translated into consumer scale.
And it's very much, as I say, an identity and access management proposition.
And it needs to be made easy, convenient, and valuable to folks who are interacting with these very sophisticated devices.
Are we at the point yet where this needs to be a concern for people who are out there shopping for their next car?
Or are there questions they should be asking at their dealerships?
I think so, actually.
You know, particularly when a car is such a valuable, sophisticated product,
which comes with subscription opportunities of its own,
it's important for people to get a sense of comfort that they are
working with a trustworthy manufacturer of this vehicle and a trustworthy integrator of all the
many, many services, including third-party services, that make up that kind of package
of value that a connected car represents. That's Eve Mailer from ForgeRock.
And I'm pleased to be joined once again by Johannes Ulrich. He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to welcome you back.
I know you want to touch today on this notion of time servers
and configuring them properly.
What can you share with us today?
Yeah, thanks for having me back again, Dave.
And time may be a little bit an obsession of mine
with sort of my physics background back in, Dave. And time, maybe a little bit of an obsession of mine with sort of my physics background back in the day.
I actually almost got a job to help
mystify the kilogram out of school back then.
But, well, anyway, that didn't happen,
so now I'm stuck with time servers and networks.
What it's really about is pretty much
any operating system these days,
even IoT devices,
synchronize time automatically.
And by default, they come configured
with some kind of time server that they reach out to,
that they connect to.
There are a couple tricky issues with this.
Now often, in particular, open source, Linux, IoT,
uses this NTP pool.
This is a pool of a couple thousand NTP servers
that volunteers basically contribute.
And like anything, volunteers contribute.
Sometimes it works, sometimes it doesn't work.
There is no 800 number to call and complain about
if it doesn't work.
So we did a little bit of work and looked at
how accurate are these open time servers.
It turns out they are very accurate if they respond.
They're sort of within a few milliseconds,
which is perfectly fine for what they're meant to do.
But aside from the accuracy, there's a little bit another problem.
Whenever you're reaching out to another network device like this,
you're basically giving away information.
For example, Shodan stated that one way they're going to solve the problem of scanning IPv6 is they can't scan the IPv6 address space.
So they're just going to add some NTP servers to that pool with IPv6 addresses.
add some NTP servers to that pool with IPv6 addresses,
and whenever you connect to them to get the new time,
you basically give away your IPv6 address and they'll scan you and then add to the database as a possibly exposed device over IPv6.
Also, there are different variations of software that is used for time synchronization
that uses slightly different flavors of the NTP protocol.
And with that, an attacker, for example,
could figure out what operating system you're running
or how recent your operating system is.
So a lot of things that you're kind of giving away
and that you probably need to consider.
And I think one reason why you want to control time,
you want to take it over and really set up an NTP infrastructure
and architecture around it, just like what you're doing for DNS and other protocols.
So is it something you would run internally?
Yeah, so the first step that you can do is you run an internal time server.
Again, there's open source software to do it.
A small virtual machine is all
you really need. And then that time server synchronizes with these external sources,
so that would be the only system exposed. And all your internal servers will then connect to that
one master clock inside your network. It has the other advantage that this kind of gets your
clocks more synchronized inside your network. And what you're advantage that this kind of gets your clocks more synchronized inside
your network. And what you're often more interested in having like the absolute time is that the time
is synchronized within your network. Like it probably doesn't really matter if the time on
your laptop is off by a second, as long as everything on your network is off by a second.
And that way, if you're trying to compare logs and such, you're finding the right logs that you're looking for.
Yeah. I mean, that's fascinating.
As things continue to get faster,
network speeds and processor speeds and all that kind of stuff,
does the degree to which the accuracy of the notion of an absolute time,
does it matter?
It can matter in some cases, like authentication, for example.
Protocols like Kerberos and such are somewhat sensitive.
It's relatively straightforward to get millisecond accuracy.
That's what you can do with open source software.
The next step up from having this one centralized time server
is you can buy little appliances
that use GPS
to synchronize time
and act as an internal time server.
So now you don't need any outbound network
connection. And those
devices are not terribly expensive.
They're sort of in the $200 range of the
low-end ones that you can
get, and of course, no limit
to the upper end.
And then, of course, depending on if you want to be really accurate,
you can use other protocols and such to synchronize time across systems.
But something like this is definitely affordable for a small business,
a little time server appliance like this, and it just sort of takes care of it. You don't really have to worry about it going forward.
The accuracy, the absolute accuracy of one millisecond, I would think
is pretty much good enough for all
current applications, unless you have
some very specific needs.
Oh man, this is totally a rabbit
hole I could go down,
compensating for relativistic effects
and all that kind of stuff, right?
Actually, you can buy
these GPS satellites, they have atomic, you can buy these GPS satellites.
They have atomic clocks inside, these cesium clocks.
You can buy your own cesium clock if you want to.
On eBay, they can sometimes be found at a reasonable price.
Reasonable being sort of $1,000 to $2,000 kind of.
Yeah, I don't think it's really necessary
for most applications.
Facebook published a lot about what they're doing to actually get sort of nanosecond and
better synchronization across their network.
They sort of came up with some custom network cards and plugins for that to do it.
5G networks, that's sort of where the speed matters.
The faster these networks get,
the more critical for them it is to synchronize frequencies,
that your phone and the tower,
when they're dialing in a certain frequency,
it's actually the same frequency.
So that's also where some of these time standards
come in and matter
and have been now very accurate
with these faster speeds.
Yeah. Reminds me of the old quote
allegedly from Yogi Berra. They said, hey,
Yogi, what time is it? Yogi said, you mean now? Yeah. Or just the other quotes often said with
NTP. If you have one clock, you know what time it is. If you have two, you're never sure.
Right. Right. All right. Well, Johannes Ulrich, thank you for taking the time for us today.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your Thank you. studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is me
with original music by Elliot Peltzman. The show is written by John Petrick. Our executive editor
is Peter Kilby. And I'm Trey Hester, filling in for Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.