CyberWire Daily - Ransomware in Costa Rica. Cyberespionage against unpatched FortiOS instances. Credential stuffing PayPal, breaching T-Mobile. Utility business systems hit. Hackathons and phishing in Russia.
Episode Date: January 20, 2023Ransomware hits Costa Rican government systems, again. A Chinese threat actor deploys the BOLDMOVE backdoor against unpatched FortiOS. Credential stuffing afflicts PayPal users. T-Mobile discloses a d...ata breach. A cyberattack hits a remote Canadian utility. The Wagner Group sponsors a hackathon. Malek Ben Salem from Accenture describes prompt injection for chatbots. Our guest is Paul Martini of iboss with insights on Zero Trust. And the FSB’s Gamaredon APT runs a hands-on Telegraph phishing campaign against Ukrainian targets. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/13 Selected reading. Bolster Your Company Defenses With Zero Trust Edge (Forrester) MICITT detecta incidente informático en el MOPT, el cual ya se encuentra contenido (MICITT) MOPT mantiene habilitados todos los servicios de manera presencial (MICITT) Costa Rica’s Ministry of Public Works and Transport crippled by ransomware attack (Record) Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) (Mandiant) Attackers Crafted Custom Malware for Fortinet Zero-Day (Dark Reading) Chinese hackers used recently patched FortiOS SSL-VPN flaw as a zero-day in October (Security Affairs) PayPal accounts breached in large-scale credential stuffing attack (BleepingComputer) PayPal Confirms Over 34,000 Customer Accounts Were Breached (EcommerceBytes) 35,000 PayPal accounts hacked, and users could've prevented it (PCWorld) Thousands Of PayPal Accounts Hacked—Is Yours One Of Them? (Forbes) Nearly 35,000 PayPal users had SSNs, tax info leaked during December cyberattack (The Record from Recorded Future News) T-Mobile Says Hacker Stole Data for 37 Million Customers (Bloomberg) T-Mobile Says Hackers Stole Data on About 37 Million Customers (Wall Street Journal) T-Mobile Says Hackers Used API to Steal Data on 37 Million Accounts (SecurityWeek) Cyberattack hits Nunavut's Qulliq Energy Corp. (CBC News) Nunavut power utility’s servers hit by cyber attack | IT World Canada News (IT World Canada) Russian War Report: Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize  (Atlantic Council) Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations (Blackberry) Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram (The Hacker News) Hitachi Energy PCU400 (CISA) Bolster Your Company Defenses With Zero Trust Edge (iBoss) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware hits Costa Rican government systems again.
A Chinese threat actor deploys the bold move backdoor against unpatched Forta OS.
Credential stuffing afflicts PayPal users.
T-Mobile discloses a data breach. A cyber attack hits a remote Canadian utility.
The Wagner Group sponsors a hackathon.
Malek Ben-Salem from Accenture describes prompt injection for chatbots.
Our guest is Paul Martini from iBoss with insights on zero trust. And the FSB's Gamerodon
APT runs a hands-on telegraph phishing campaign against Ukrainian targets.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 20th, 2023.
Happy Friday, everyone. Good to have you here along with us once again.
Costa Rica's Computer Incident Center disclosed this week that it's been subjected to a ransomware attack that encrypted 12 government servers.
None of them, the statement said, affected critical systems,
and the attack has been contained, that is, confined, to the systems already affected.
There's no official general attribution of the attack, nor any word on what strain of ransomware
may have been involved, but, as the record by Recorded Future reminds readers, Costa Rica began receiving some hostile and determined attention from Conti last spring,
with the gang going so far as to express its determination to bring down the government.
That's not an expression of serious political purpose,
but more like Conti saying,
Gosh, I'm telling you, brother, we're mad as heck and we want to get paid.
Hang tough and get well soon, Costa Rica.
A suspected Chinese threat actor is exploiting a recently patched critical flaw
in Fortinet's FortiOS SSL VPN, according to researchers at Mandiant.
The threat actor began exploiting the vulnerability in October 2022,
months before the flaw was disclosed
publicly. Fortinet issued an advisory on December 12th, rating the vulnerability as critical,
noting that the company was aware of an instance where this vulnerability was exploited in the
wild. Mandiant says the threat actor targeted a European government entity and managed service provider located in
Africa. The researchers discovered a new malware dubbed Bold Move that was developed to exploit
this vulnerability. The threat actor appears to be sophisticated and well-funded. Note that there's
been a patch for the vulnerability available since last month, and Fortinet users are urged to apply it.
On January 18th, PayPal said in a security incident notice that unauthorized parties
had accessed thousands of user accounts between December 6th and 8th of last year in a credential
stuffing attack. Credential stuffing is one method of attack that can be made less likely to succeed
by the application of some sound digital hygiene.
This credential stuffing attack, Bleeping Computer explains,
works by utilizing a bot that attempts various user credentials
sourced in other leaks to access accounts on other sites.
That is, it's a lazy hacker's way of brute-forcing a credential.
That is, it's a lazy hacker's way of brute-forcing a credential.
So, it follows that those reusing passwords across accounts with shared usernames and emails, or password recycling, would be most likely to fall victim to these attacks.
Forbes writes that this incident was reported as of yesterday to have given threat actors access to almost 35,000 PayPal accounts.
In a statement to eCommerce Bytes, PayPal asserts that no financial information was accessed and that payment systems were not affected.
PayPal says they are reaching out to those who may have seen their accounts accessed.
It's not clear that PayPal has that much to apologize for,
since this seems to be a matter of user headspace
and not a security flaw within PayPal itself. Mobile carrier T-Mobile disclosed a data breach
yesterday that affects around 37 million postpaid and prepaid customer accounts,
Security Week reports. The telecommunications firm said in a Thursday filing with the USSEC that the data
breach was the work of a malicious actor abusing an API without authorization. The wireless provider
claims that the attack, discovered January 5th, was stopped within a day of discovery and that
they had pinpointed the source, Bloomberg reports. The carrier says that there is no evidence showing
that any other systems were affected and also did not appear to affect any sensitive data.
Kulik Energy Corporation, QEC for short, in Nunavut, the largest and northernmost territory
of Canada, was hit by a cyber attack on Sunday that took down some business systems,
the CBC reports. QEC disclosed yesterday that the attack took down the systems at its customer care
and administrative offices. The company has enlisted external cybersecurity experts to
investigate the scope of the attack and determine which data was accessed. QEC says it will notify anyone whose information was
accessed. Premier PJ Akiagok said in a statement that various territorial and federal agencies are
assisting with the recovery and that the Royal Canadian Mounted Police are investigating the
incident. The attacks didn't affect power plant operations, just business systems, and customers are presently unable to pay their bills via credit card.
While it's still unclear whether the attackers accessed customer information, the company says customers should be vigilant just in case.
Russia's Wagner Group private military, hasn't neglected information technology,
the mercenary group sponsored a hackathon last month designed to contribute, the hired gun said,
to the development of IT projects to protect the interests of the Russian army.
The hackathon offers another example of the ways in which criminals serve as cyber auxiliaries for the Russian organs.
of the ways in which criminals serve as cyber auxiliaries for the Russian organs.
The co-founder of the team that placed an honorable third, one Igor Turashev,
is wanted by the U.S. FBI for his involvement with, among other things, the Drydex banking malware.
Mr. Turashev was indicted in the Western District of Pennsylvania on November 13, 2019.
The charges he faces, if the U.S. ever gets his hands on him, include conspiracy, conspiracy to commit fraud, wire fraud, bank fraud, and
intentional damage to a computer. Mr. Turashev should choose his vacation spots with care.
BlackBerry researchers reported yesterday that they'd observed Gamerodon operators running
phishing attacks against Ukrainian targets. The phish bait consists of spoofed Ukrainian
government or corporate documents. As BlackBerry puts it, the Gamerodon group's network infrastructure
relies on multi-stage telegram accounts for victim profiling and confirmation of geographic location,
and then finally leads
the victim to the next stage server for the final payload. This kind of technique to infect target
systems is new. The final payload is an information stealer first observed in September of this past
year. Gamerodon, also known as primitive bear or Actinium, is generally believed to be an FSB operation run out of occupied Crimea.
This particular operation seems to be hands-on and not heavily automated.
And finally, the U.S. Cybersecurity and Infrastructure Security Agency, that's CISA, has issued an industrial control system advisory affecting Hitachi Energy PCU-400.
So read it and heed it, ye captains of industry. It's Friday afternoon. Do you know where your
Hitachi ICS is? Coming up after the break, our guest is Paul Martini of iBoss with insights on zero trust.
Malek Ben-Salem from Accenture describes prompt injection for chatbots.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Paul Martini is CEO of security firm iBoss,
where they recently released a report titled
Bolster Your Company Defenses with Zero Trust Edge. I checked in with Paul Martini for insights
for companies looking to make the transition to zero trust.
First and foremost is choose a framework that is based off a standard or create standards.
So NIST, they're very well known for not just the risk management framework, the RMF,
but they create a lot of different standards.
And so by choosing NIST, Bay 100-207, I think what that's going to help with is,
first, it's vendor agnostic.
It's really based off concepts and ideas that can be implemented.
But secondly is regulation comes down from government to the commercial and enterprise sector, as well as into other sectors as well, it's going to make sure that you're going to be meeting fundamental compliance requirements.
Because ultimately, we believe this becomes regulation and becomes law.
And by doing it in a way that not only reduces risk, but helps you remain compliant is always helpful.
So the first is pick a framework that you can understand and that is tangible and discreet.
The second is really understand what it is that you're trying to achieve.
I think this really shouldn't be about just a term or technology that people hear about and think is a great idea. It should be really taking a step
back and understanding what is zero trust and what does that mean and how does it reduce risk.
CISA, which is the Cybersecurity and Infrastructure Security Agency, put out a report
in 2021, which studied the fundamental root cause of ransomware. They partnered with the FBI, NSA,
as well as other governments, the UK and Australia.
And what they found was the top three initial infection vectors for ransomware in 2021 was unauthorized access.
They were all based on unauthorized access, things like stolen credentials, phishing, or vulnerabilities.
But the real question really comes down to why is it that when software becomes vulnerable, that it's accessible?
Why is it that there's an attacker in Russia that can even access the application to begin with?
The reality is because the world looks a lot different today.
Those applications used to be in a data center or used to be in your office,
but now they're SaaS applications, meaning there's a path to the front door of that application.
As soon as it becomes vulnerable, an attacker can take advantage of that vulnerability.
And if you look at the number of vulnerabilities coming out on a daily basis from CISA, they just sit there waiting for these vulnerabilities to come out to take advantage of them.
So I like this idea.
using process, people, and technology to basically put a front door
in front of all of the critical resources
of enterprise zones
and ensure that those applications
and data remain private at all times.
I do also like all of the network requirements,
the requirements to support
zero-trust architecture from Nest,
the tenants, they have seven tenants
that are required to meet
a zero-trust architecture
according to their framework.
But looking at those tenants and those network requirements, making sure that you're really checking each of those boxes.
They put a lot of work to really think about them and the impacts of what they mean.
But following those, I think, will put you in a much better position.
You all recently released some survey data about zero trust.
all recently released some survey data about Zero Trust. Were there any particular bits of information that you gathered that caught your eye or were surprising or unexpected?
I think they just reaffirmed what we already were seeing, which is, you know, Zero Trust is
a mainstream type of process and technology that's being implemented across federal governments and
enterprises. It's top of mind.
We think that there's a lot of confusion as well that happens when there's something that's
new and coming, you know, newer types of technologies, newer types of processes.
But it also, you know, we find that it's not just the government.
It's just it's reaffirming.
It's not just the government moving to these models.
It's every company and every enterprise and every sector moving to this model, but reaffirmed that belief.
I'm not sure if you're aware today, actually just a few hours ago, Okta announced a new breach.
Did you see that?
Yeah, absolutely.
If you think about that particular breach, the new one that just came out, it was source code that was stolen from GitHub.
So basically the Okta source code was stolen.
And you just wonder, how is it that an attacker gets to the front door of their GitHub repository?
Because if you're using a zero-trust model, the zero-trust gatekeeper or checkpoint is the job of that gatekeepers to make sure that no one except
for employees are touching that resource and everybody else is denied by default.
So I think this type of technology, when you look at these types of breaches can, in my
opinion, and in our opinion, it doesn't just slightly reduce risk.
It's the best way combined with all of the other good hygiene that you need to do with,
you know, other, other technology and processes.
But it's the best way to get the biggest bang for the buck to reduce risk.
And this is why we're seeing with the survey data and with the government that everybody's moving to this model as quickly as possible.
It's been my experience that quite often when bits of technology like this come to the fore,
when bits of technology like this come to the fore,
there are several stages that it goes to where it first gets announced,
people start to understand it,
and then quite often the marketing people get a hold of it,
and that leads to, I guess what I would refer to
as the eye-rolling zone,
where it gets talked about so much
that people kind of put up their defenses about it
because they're hearing so much about it.
It strikes me that zero trust is here to stay.
We've gotten past that eye-rolling point,
and people are really seeing that this is going to be with us for the long haul.
Yeah, absolutely.
I think it's a catch-22.
When technology or processes come out and they're not really spoken about,
or there's not a lot of vendors jumping onto that type of technology
or marketing, the marketers, to your point, talking about it,
it might mean that it's either too early
or it's not that interesting or that helpful.
But I think that it's a catch-22
because when something is that helpful,
then of course marketing wants to follow that
because they know a lot of transitions are going to occur.
So you kind of have to get past that hurdle.
And I do think that there's still a lot of noise, but because of these standards, and
this is why I appreciate NIST so much, is when you start looking at these standards
that include requirements that show tangible deployment strategies. This helps reduce that noise as well as provide guardrails
to prevent people from jumping off the cliff
or making decisions that are just for the sake of using a term.
That's Paul Martini from iBoss.
The report is titled,
Bolster Your Company Defenses with Zero Trust Edge.
We'll have a link in today's show notes.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
And joining me once again is Malek Ben-Salem.
She's the Managing Director for Security and Emerging Technology at Accenture.
Malek, it is always great to welcome you back to the show.
We've been seeing a lot of stories about chatbots. They've been getting a lot of attention with some of the developments with
AI related to that. I know you and your colleagues have been doing some work when it comes to prompt
injections and chatbots. What can you share with us about that today? Thanks, Dave. So yeah, we've
seen language models and chatbots included gained some popularity recently.
And again, just like any other AI models, we've talked before on this show about the vulnerabilities of AI and machine learning models in particular.
But we have not talked about chatbots specifically. And it turns out
that chatbots, just like any other machine learning models, are vulnerable to certain
types of adversarial attacks. These are known as adversarial examples, if you think about the computer vision systems that have been shown to be vulnerable to changes in, you know, small changes in a pixel in an image would completely make an image classifier fooled and misrecognize the image just by those few changes in pixels.
Those types of attacks are also valid and work against chatbots.
And one of these adversarial examples or adversarial attacks is known as prompt injections.
This is akin to the SQL injections that we know and that we're familiar with other types of applications like web applications.
languages and you have an API language model with an API that you can call through the API to translate certain language. So you give it your input, your prompt is to translate a certain
sentence, and then you give it that input that you want to translate, which is, so you have your
prompt and you have your input. It turns out that these models
are vulnerable to these prompt injections in the sense that if you modify your input, you can
completely make the chatbot do something wrong, such as, you know, share information that it's
not supposed to share or tell you what's the last prompt it has received.
So reveal some information that is not supposed to be returned back to the user.
How are these prompts surfaced? How do we learn about them?
So far, I think we need to do more work on developing security scanners to detect these types of bad inputs.
And unfortunately, the security community is not focused on that.
Most app scanners that I know of are not looking into this issue yet.
And I think this is, my point here is to raise awareness
about these types of attacks and hopefully draw the attention
both for app scanners and also for the users
or the companies using these types of chatbots
to think about these security vulnerabilities.
Is this a matter of just sort of pounding away on these things
and throwing everything possible at them to see if any weird stuff gets spit out?
I think that's part of it.
And definitely, you know, there are some AI-driven proposals that look at sanitizing the inputs or sanitizing the prompts to these chatbots. That's one approach.
That's one approach.
There's also another approach about sanitizing the output.
So if something of malicious prompt is detected before the chatbot returns the results to the end user,
they can sanitize that or maybe ignore it to give any response at all.
They're not 100% bulletproof.
I think they would be useful, but it's not going to be the full answer.
And we need to really think about how these,
we don't even know enough about how these chatbots can leak information.
What are the possible prompts that would make them to act not as expected.
And so we definitely need more research,
but we definitely also need to start building or think about building some tools that would help us secure them.
All right.
That's interesting stuff.
Malek Ben-Salem, thank you for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. Thank you. Visit ThreatLocker.com today to see how today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Bridget O'Gorman from Symantec's Threat Hunter team.
We're discussing their report, Billbug.
State-sponsored actor targets cert authority and government agencies in multiple Asian countries.
That's Research Saturday. Check it out.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Thanks for listening. We'll see you back here next week. Jennifer Iben, Rick Howard, Peter Kilby, Simone Petrella, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.