CyberWire Daily - Privileged insiders and the abuse of “Oops.” Nemesis Kitten exploits Log4Shell. TrojanOrders in the holiday season. Emotet’s back. RapperBot notes. And an arrest in the Zeus cybercrime case.
Episode Date: November 17, 2022Meta employees, contractors compromised customer accounts. Nemesis Kitten found in US Government network. Unpatched Magento instances hit with "TrojanOrders." Emotet has returned after three quiet mon...ths. DDoS attacks in game servers by RapperBot. Carole Theriault looks at long term lessons learned from the 2019 Capital One breach. FBI Cyber Division AD Bryan Vorndran updates us on cyber threats. And an alleged "Zeus" cybercrime boss has been arrested in Switzerland. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/221 Selected reading. Meta Employees, Security Guards Fired for Hijacking User Accounts (Wall Street Journal) CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester. (CyberWire) Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester (CISA) Iranian government-linked hackers got into Merit Systems Protection Board’s network (Washington Post) Iranian hackers compromise US government network in cryptocurrency generating scheme, officials say (CNN) Magento stores targeted in massive surge of TrojanOrders attacks (BleepingComputer) A Comprehensive Look at Emotet’s Fall 2022 Return (Proofpoint) Notorious Emotet botnet returns after a few months off (Register) Updated RapperBot malware targets game servers in DDoS attacks (BleepingComputer) Russia’s cyber forces ‘underperformed expectations’ in Ukraine: senior US official (The Hill) Suspected Zeus cybercrime ring leader ‘Tank’ arrested by Swiss police (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Meta employees and contractors compromise customer accounts.
Nemesis Kitten is found in U.S. government networks.
Unpatched Magento instances are hit with Trojan orders.
Emotet has returned after three quiet months.
DDoS attacks in game servers by Rapperbot.
Heralterio looks at long-term lessons learned from the 2019 Capital One breach.
FBI Cyber Division A. Division AD Brian Vordren
updates us on cyber threats,
and an alleged Zeus cybercrime boss
has been arrested in Switzerland.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 17th, 2022.
The Wall Street Journal this morning reported that Meta Platforms, parent company of Facebook,
found that some employees and contractors were apparently involved in selling outsiders access to customer accounts.
The journal says that Meta, in the course of an internal investigation,
fired or disciplined more than two dozen employees and contractors over the last year whom it accused of improperly taking over user accounts, in some
cases allegedly for bribes. Some of the employees believed to have misbehaved had done so through
the access they'd been granted to Meta's program, internally called Oops, used to help customers who are having
trouble with their accounts, assisting them with forgotten passwords or account hijacking.
In some cases, workers took thousands of dollars in bribes from outside threat actors
to compromise the accounts. Oops is supposed to be limited to friends, family, business partners,
and public figures, but as Meta's employee headcount
has grown, so has OOPs usage. Meta is working to rein in the use of OOPs and its attendant abuse,
but it's not an easy problem to overcome. It's an interesting case of the larger challenge of
privilege abuse, and it will be interesting to see the steps Meta takes to bring the problem under control. CISA and the FBI released a joint cybersecurity advisory yesterday
on Iranian government-sponsored APT actors compromising a federal network. The threat
actor, Iran's nemesis Kitten, exploited the well-known log4Shell vulnerability to infiltrate a VMware Horizon server in February and move across the network.
Bleeping Computer reports that the attackers deployed a cryptocurrency miner,
as well as reverse proxies on compromised servers to remain within the network.
The Washington Post identified the affected agency as the U.S. Merit Systems Protection Board.
identified the affected agency as the U.S. Merit Systems Protection Board.
Security Week notes that CISA and the FBI have published indicators of compromise to help potentially impacted organizations find infection with the mindset that there has already been a
compromise. The agencies say in their advisory, all organizations with affected VMware systems
that did not immediately apply available patches or workarounds
should assume compromise and initiate threat-hunting activities.
If signs of compromise are found, connected systems should be investigated
and privileged accounts especially should be audited.
At least seven Magecart gangs are hitting vulnerable unpatched instances of Magento 2 and Adobe Commerce with Trojan orders, researchers at Sansec report.
The bogus orders are placed to establish persistence on the affected system.
Once that's achieved, the criminals can execute further criminal actions, usually customer credential and pay card theft.
This kind of exploitation had been difficult, but exploits have been traded in criminal-to-criminal markets, and their prices have recently fallen from $20,000 to $30,000 to roughly $2,500,
according to Bleeping Computer. The potential rewards are greater as well as the holiday
season approaches. SandSec expects Trojan orders to well as the holiday season approaches.
SanSec expects Trojan orders to crest as the shopping season begins to peak with Black Friday at the end of next week.
Patches are available for the vulnerabilities undergoing exploitation,
but SanSec estimates that about a third of Magento and Adobe Commerce systems remain unpatched, and even in some patched systems,
attackers may have achieved persistence before the patches were applied.
Proofpoint yesterday offered a look at the return of Emotet,
whose major distributor, TA542,
resurfaced this month after having been quiet since July. The botnet has been observed dropping ICED-ID,
and researchers think Emotet is returning to its full functionality,
acting as a delivery network for major malware families.
The botnet's targets have been widespread,
with high volumes of spam hitting the United States,
the United Kingdom, Japan, Germany, Italy, France, Spain, Mexico, and Brazil. The researchers conclude,
overall, these modifications made to the client indicate the developers are trying to deter
researchers and reduce the number of fake or captive bots that exist within the botnet.
The addition of commands related to IcedID and the widespread drop of a new Iced ID loader might mean a change
of ownership or at least the start of a relationship between Iced ID and Emotet.
Game servers have been the target of activity by Rapperbot, Fortinet's FortiGuard Labs researchers
report. DDoS attacks have been detected in game servers. FortiGuard Labs researchers say RapperBot had been seen in campaigns earlier this year.
There are signs that some Mirai source code is being reused.
Bleeping Computer reports that Fortinet believes all RapperBot campaigns are done by the same threat actors,
with newer variants sharing source code.
Reportedly, the C2 communication protocol is the same.
Credentials used have been the same since August 2021,
and there are no signs of campaign overlaps.
And finally, we've all heard, and heard a lot,
about the general surprise aroused by Russian cyber operators' failure
to show up in Moscow's hybrid war against Ukraine.
The latest comment on this, if you'll indulge us for a moment,
came this week from the U.S. Deputy Assistant Secretary of Defense for Cyber Policy,
Mike Uyang, who observed to the Aspen Institute that Moscow's cyber operations have underperformed pre-war expectations.
The Hill quotes her as saying,
I think we were expecting much more significant impacts than what we saw.
I think it's safe to say that Russian cyber forces,
as well as their traditional military forces, underperformed expectations.
She thinks that the evidence shows Russia to have been unprepared
for an unexpectedly protracted war.
But the hoods on both sides of the Russo-Ukrainian border have managed to stay in the news.
Krebs on Security reports that Vyacheslav Penchukov, who goes by the hacker names Tank
and Aqua, a Ukrainian cybercriminal and sometime DJ, was taken into custody by Swiss police in Geneva.
He now faces extradition to the United States. The charges he faces, according to the record,
pertain to a wide-ranging racketeering enterprise and conspiracy who infected thousands of business
computers with malicious software known as Zeus. He's been associated with the Russian cyber mob boss Yevgeny Mikhailovich
Boguchov, who's been wanted by the U.S. FBI since his indictment in 2012. Mr. Penchukov is alleged
to have run the Ukrainian branch of Mr. Boguchov's Zeus operation. Mr. Penchukov is in custody,
but Mr. Boguchov remains out there in the wild,
last seen aboard his yacht in the Black Sea, rocking his tracksuit and holding some exotic cats.
Coming up after the break, Harold Terrio looks at long-term lessons learned
from the 2019 Capital One breach.
FBI Cyber Division A.D. Brian Vordren
updates us on the latest cyber threats.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Our UK correspondent Carol Terrio returns with a look at the long-term lessons learned from the 2019 Capital One breach.
She files this report.
So back in 2019, Capital One told the world that someone gained unauthorized access and stole files containing the personally identifiable information of customers and credit card applicants. And this data was a treasure trove.
It included payment history, contact info, credit scores, and social security numbers.
Now, Capital One said it immediately fixed the issue and alerted the FBI. But it was still one of the
largest financial data breaches to date. I mean, it reportedly affected more than 100 million
customers in the US and Canada. And it was an anonymous email sent to Capital One that fueled
the FBI's investigation in July 2019. And it led to the arrest of Paige A. Thompson, a 36-year-old Amazon tech worker.
And just this past June, a jury in the U.S. District Court of Seattle found Thompson guilty
of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected
computer. Now, according to the DOJ press release,
quote,
using Thompson's own words and texts and online chats,
prosecutors showed how Thompson used a tool she built
to scan Amazon Web Service accounts
to look for misconfigured accounts.
She then used those misconfigured accounts
to hack in and download the data of more than 30 entities,
including Capital One Bank. With some of her illegal access, she planted cryptocurrency
mining software on new servers with the income from the mining going to her online wallet.
Thompson spent hundreds of hours advancing her scheme and bragged about her illegal conduct to So did you see that?
It's not like she's some mastermind genius.
She went around scouring, looking for misconfigured AWS servers.
And just look at the damage she caused.
A hundred million people affected.
We're talking stolen credit card details,
social insurance numbers,
a bunch of private information
that you don't change very often,
if at all, in your lifetime.
And with an end goal of getting
some secret crypto mining thing going.
So what can we take away?
What can we learn from this?
Is to make sure that our configurations
are set the way we want them to be.
Think about all the myriad of software
that you're running at home or at work.
Like every time there's an upgrade,
configuration options might change
and or be added, and they may just
set those to a default setting, expecting you to review it. Well, maybe meet that expectation,
because in the end, whilst Capital One was hurt, the company was fined 80 million and settled
customer lawsuits for 190 million. the people whose information has been stolen
are the ones that really pay the price.
So that is today's takeaway.
Review your configuration settings
and make sure only authorized people
can access your data treasure troves.
This was Carol Theriault for the Cyber Wire.
And I'm pleased to be joined once again by FBI Cyber Assistant Director Brian Vordren.
Director Vordren, welcome back.
I want to touch base with you today
on some of the
threats that you all are tracking, particularly the cyber criminal threats. What do you have to
share with us today? Thanks, Dave. It's good to be here with you. You know, specifically towards
ransomware, the criminals behind ransomware attacks are almost wholly based in Russian-speaking
countries. And it's important to know that they operate as
organized crime syndicates, similar to what we would have thought of as traditional organized
crime elements. Quite frankly, they're fantastic entrepreneurs and have successfully lowered the
barriers of entry through ransomware as a service, and I'll explain what that means here in a minute.
But there's really four key services to their business model. One is infrastructure,
But there's really four key services to their business model.
One is infrastructure.
The second is communication. The third is malware.
And the fourth is obviously transactional currency.
But specific to the malware key service, very, very highly skilled malware coders are developing more and more sophisticated malware.
And they have what we refer to as an affiliate model. And that affiliate model allows less technically skilled criminals who are obscured from the enterprise or who are obscured from these heavily skilled malware coders. And those affiliates deploy their sophisticated malware for their personal gain, and then they pay a percentage of their proceeds back to the highly skilled malware coders. So it really does cordon
off the most talented enterprise leaders from the affiliates, and they're essentially on a lease
model for their malware. It's a very, very productive model for everybody involved,
but all of those people involved are obviously criminals. As you know, ransomware is an attack
on the availability of your systems and data.
And an organization's goal should be to prevent these attacks.
It's not about detection and eviction.
It truly is about prevention.
And those prevention efforts should be commensurate with acceptable downtime.
And those acceptable downtimes need to be made at the organizational level. So if an acceptable downtime is, for
example, one day, increasing prevention efforts should be a high priority. Without taking those
effective steps in advance of a breach, an organization can find themselves obviously
wholly reliant on the honesty and the integrity of criminals to get their data back or to get their
systems decrypted. It's also highly predictable that ransomware actors
will eventually move towards multilingual ransomware
as a service software platforms.
So if you think about it,
they've obviously scaled their model
in terms of Russian-speaking countries,
but there's other talent globally,
and a natural endeavor for them
would be to scale into multilingual platforms
to leverage other countries and the criminals in other countries. But I do think, Dave, it's
really important to talk about target identification. And ransomware actors evaluate really
three key things. First, who is easily targetable? Second, who is likely to pay based on brand damage?
And finally, who will pay the most. So let's put this
in industry standard terms. Who doesn't have good net defense, who has a high willingness to pay,
and who will suffer the most economic impact from the encryption of key systems.
You know, ransomware attacks are increasingly coupled with data theft. And this is a very
normal and present trend right now. We refer to that as a double extortion model, or data theft, and this is a very normal and present trend right now, we refer to that as a
double extortion model or data theft and harassment of the victims and company officials, which we
would call triple extortion. So I'll go a little bit deeper on those. So double extortion would
mean that a ransomware actor encrypts your system and also steals the data and threatens to release
it publicly. A triple extortion model would be, again, encrypts your data, steals the data and threatens to release it publicly. A triple extortion model
would be, again, encrypts your data, steals your data, and then attacks your systems through a
DDoS attack or makes harassing phone calls to employees, executives, customers, or family members.
And those are becoming more and more prevalent. And I just want to touch on one other note before
we round out this question. You know, when companies choose to pay to prevent the leak of data, it's important that those companies understand that they're paying to prevent the leak of data right now.
And they should undoubtedly expect to be extorted again in the future to prevent another release of data.
So I appreciate the question.
It's obviously a very important topic to us.
So I appreciate the question. It's obviously a very important topic to us.
Can you give us some insights on ideal interactions between you and your colleagues there at the agency?
When someone comes to you and says, we've been a victim of ransomware, how does that work?
Dave, it's a great question. And when we talk about this, we really split the relationship building into three phases. And those phases are
before an intrusion, during an intrusion, and after an intrusion. And that before the intrusion
phase is the most important because it's then that we build trust with an organization,
whether that's a nonprofit, a for-profit, or an education institution, or anything else.
It's important to build trust,
but it's also important to set expectations. And by setting expectations, I do not mean what does the FBI need. I actually mean just the opposite. The company often wonders, what can the FBI do?
What can the FBI not do? What should the company do? What should the company not do? How does the
company want the FBI to engage with them
during a moment of intrusion? For example, do they want the FBI to engage through a natural
trust-based relationship that's already in place? Or do they want us to engage through their retained
counsel during an intrusion? But that before-intrusion phase of relationship building is
so, so important. And it's been my experience that
when engagement during intrusions don't go well between the FBI or a company or the company and
the FBI, it's likely because we haven't spent enough time together before the intrusion.
But during the intrusion, our message is very simple. We're there to help. That opens the
gateway to the Bureau's resources. We can open the gateway to the U.S. government resources. We've been asked to help with media in the past during intrusion, and we're happy to do that. We've been asked to do a host of other things that are not technical, and we're happy to do that.
day, there is information, intelligence, and evidence that a company likely has as a result of their intrusion. And we would hope that there would be a sharing of that at an appropriate time.
It's very seldom that we need all that right away. There is a need to quickly share virtual
wallet information and things of that sort, because that's tactical and tangible intelligence
that we can move on. So hopefully, Dave, those give you and
your audience some thoughts on what that engagement would look like. And from a practical level,
is this a matter of reaching out to your local FBI field office? It really is. It really is.
You know, probably the biggest strength the FBI has is 56 field offices, 300 different resident
agencies. And so we do have people everywhere.
And we would really encourage your audience to get in touch with their local FBI field office
and at least introduce themselves to the right folks on the cyber squad in that field office.
So that should something happen, those relationships are already in the process of being built.
All right. Well, FBI Cyber Assistant Director Brian Vordren, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you all back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.