CyberWire Daily - Security risks in the hardware and software supply chains. Patches and proofs-of-concept. A look at recent incidents hitting major corporations. Online surveillance and social credit in Russia.
Episode Date: October 5, 2023Apple patches actively exploited iOS 17 vulnerability. Qakbot's survival of a major takedown. BADBOX puts malware into the device supply chain. LoonyTunables and a privilege-escalation risk. Scattered... Spider believed responsible for cyberattack against Clorox. Sony discloses information on its data breach. In today’s Threat Vector segment, Chris Tillett, Senior Research Engineer at Palo Alto Networks and member of the Advisory Board at Titaniam Labs, joins host David Moulton to delve inside the mind of an insider threat. Dave Bittner sits down with Eric Goldstein, Executive Assistant Director at CISA, to discuss shared progress against the ransomware threat. And the Kremlin tightens control over the Russian information space. On this segment of Threat Vector, Chris Tillett, Senior Research Engineer at Palo Alto Networks and member of the Advisory Board at Titaniam Labs, joins host David Moulton to delve inside the mind of an insider threat. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/191 Selected reading. Apple emergency update fixes new zero-day used to hack iPhones (BleepingComputer) Apple releases iOS 17.0.3 to address iPhone 15 overheating issues (Computing) Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day (SecurityWeek) Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown (Cisco Talos Blog) HUMAN Disrupts Digital Supply Chain Threat Actor Scheme Originating from China (HUMAN) Trojans All the Way Down: BADBOX and PEACHPIT (Human) 'Looney Tunables' Bug Opens Millions of Linux Systems to Root Takeover (Dark Reading) Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions (The Hacker News) Clorox Security Breach Linked to Group Behind Casino Hacks (Bloomberg) Clorox Warns of a Sales Mess After Cyberattack (Wall Street Journal) Sony confirms data breach impacting thousands in the U.S. (BleepingComputer) Sony sent data breach notifications to about 6,800 individuals (Security Affairs) Russian Offensive Campaign Assessment, October 4, 2023 (Institute for the Study of War) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Apple patches actively exploited iOS 17 vulnerability.
Cacbot survival of a major takedown.
Badbox puts malware in the device supply chain.
Loony tunables and a privileged escalation risk.
Scattered spider believed responsible for cyber attack against Clorox.
Sony discloses information on its data breach.
In today's Threat Vector segment, Chris Tillett, Senior Research Engineer at Palo Alto Networks and member of the Advisory Board at Titanium Labs, joins host David
Moulton to delve into the mind of an insider threat. Dave Bittner sits down with Eric Goldstein,
Executive Assistant Director at CISA, to discuss shared progress against the ransomware threat.
And the Kremlin tightens control over the Russian information space.
I'm Trey Hester filling in for Dave Bittner with your CyberWire Intel briefing for Thursday, October 5th, 2023. First, some patch news out of Cupertino.
Apple has patched two serious vulnerabilities affecting iOS and iPadOS security week reports.
iPadOS, Security Week reports. Apple says one of the flaws, CVE-2023-42824, a privilege escalation vulnerability affecting the kernel, may have been actively exploited against versions of iOS before
iOS 16.6. Security Week notes that this is the 16th documented in-the-wild zero-day against Apple's
iOS, iPadOS, and macOS-powered devices. The other flaw, CVE-2023-5217, is a buffer
overflow vulnerability affecting WebRTC that could enable remote code execution. This vulnerability
involves a problem with the libvpx video codec library. Bleeping Computer writes, quote,
the libvpx bug was previously patched by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products.
End quote.
The patches merit your quick attention if you're an Apple user.
The operators of Cacbot are back, Cisco Talos researchers report.
They're distributing Ransom Night ransomware in a campaign that began in early August and continues into the present.
The activity continues despite an FBI-led takedown of CACBOT's infrastructure.
Notably, this activity appeared to begin before the FBI seized CACBOT infrastructure in late
August and has been ongoing since, indicating the law enforcement operation may have not impacted
CACBOT's operators' spam delivery infrastructure, but rather only their command and control servers.
CACBOT's operators lost an important part of their infrastructure,
but they remain at large,
and may well be working to reconstitute their operation.
Security firm Human has disrupted a key monetization mechanism
of a sophisticated series of cybercriminal operations
involving backdoored off-brand mobile and CTV Android
devices sold to end-users through major retailers originating from repackaging factories in China.
The campaign, known as Badbox, uses the triad of malware to steal personally identifiable
information, establish residential proxy exit peers, steal one-time passwords, create fake
messaging and email accounts, and other unique fraud schemes.
Human worked with Google and Apple to disrupt the ad fraud portion of Badbox, dubbed Peach Pit.
Additionally, the researchers shared information about the facilities at which some Badbox-infected devices were created with law enforcement, including information about the organizations
and individual threat actors believed to be responsible for the Peach Pit operation.
This is not the first time malware has been introduced into devices before they were and individual threat actors believed to be responsible for the Peach Pit operation.
This is not the first time malware has been introduced into devices before they were purchased,
and it's unlikely to be the last.
But Human thinks this operation was unusually clever and complicated.
Researchers at Qualys have discovered a buffer overflow vulnerability that could grant attackers root privileges on millions of Linux devices, Dark Reading reports.
The flaw affects the GNUC library's dynamic loader's processing
of the gliptunables environment variable.
Qualys says, quote,
Our successful exploitation, leading to full root privileges on major distributions
like Fedora, Ubuntu, and Debian,
highlights this vulnerability's security and widespread nature.
Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack
implies that other research teams could soon produce and release exploits,
which could put countless systems at risk. Scattered Spider, the Alfie-affiliated gang
associated with the ransomware incidents at MGM Resorts and Caesars Entertainment,
is now believed, Bloomberg reports, to have also been responsible for the cyberattack against Clorox. Many details of the
attack on Clorox remain unclear. It's not, for example, known with certainty whether the attackers
deployed ransomware, nor whether they used social engineering to gain access to Clorox systems,
although both seem likely. But there's little doubt that it had an impact on the company's
results. The company has been concerned about the effect of the attack on its business,
since production of several product lines was interrupted during the incident.
Clorox warned yesterday, the Wall Street Journal writes,
that the incident caused sales to fall between 23 and 28 percent
for that quarter that closed on September 30th.
The company will also show a loss for the quarter.
It projected roughly $150 million
in profit. Sony has confirmed a data breach that exposed the personal information of the company's
employees and their family members, Bleeping Computer reports. A threat actor exploited a
vulnerability in Progress Software's MoveIt transfer platform to steal the data several
days before Progress disclosed the flaw in May of 2023. Sony has said, in the course
of notifying people who may have been affected, quote, on June 2, 2023, Sony discovered the
unauthorized downloads, immediately took the platform offline, and remediated the vulnerability.
An investigation was then launched with assistance from external cybersecurity experts.
We also notified law enforcement, end quote. The Klopp ransomware gang, which exploited
the move at FLAW to launch widespread attacks earlier this year, added Sony to its list of
victims in June. And finally, the Institute for the Study of War has reported what it characterized
as an intensification of digital authoritarianism in Russia. The Russian Prosecutor General's
office has asked that V Contact block posts from relatives of mobilized servicemen that call for their return home.
The prosecutor general's request effectively has the force of law.
Dissemination of unreliable information about the special military operation is legally prohibited.
Russia's FSB on Tuesday proposed that the Duma expand the FSB's authority over the personal and geolocation data.
expand the FSB's authority over the personal and geolocation data.
This authority would be in addition to earlier proposals to give the FSB complete access to user data
handled by Russian internet, banking, and telecom companies.
The model appears to be China.
There's even a project underway in which the Russian State Social University
is developing and testing a social rating system for Russians
based on the Chinese model,
and that the intended generated social scores will link to personal data that government entities and banks will have access to.
Coming up after the break, in today's Threat Vector segment, Chris Tillett,
senior research engineer at Palo Alto Networks and member of the Advisory Board at Titanium Labs, joins host David Moulton to delve inside the mind of an inside
threat. Dave Bittner sits down with Eric Goldstein, Executive Assistant Director at CISA, to discuss
shared progress against the ransomware threat. Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Welcome to Threat Factor, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies.
Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for UnifortyTwo.
In today's episode, I'm going to talk with Chris Tillett.
Chris is a senior research engineer at Palo Alto and a member of the advisory board for Titanium Labs.
Chris, your bio on LinkedIn was really short. It says author, speaker, technologist, and failure expert.
Before we get into today's topic on Insider Thread, I want you to talk to me a little
bit about what you mean by failure expert.
Yeah, that's a title I've earned through pain and experience.
I had to really learn by doing, and I have a natural curiosity.
So by me looking at something and
going, well, I wonder if we did this, how would that impact the network? Or if we did that,
how would that impact the systems? It helped me learn and fail fast.
I love it. You've got to be fearless to be able to go into something knowing that the
odds could be stacked against you, but no risk, no reward.
What is insider threat and why has that become such a growing concern in today's cybersecurity
landscape? Insider threats are probably the most difficult thing to address because in reality,
they start in a person's figurative heart. To catch the early traces of it is extremely
difficult. There are just some people that are wired to find the loopholes in an organization.
And when we look at what an insider threat is, in reality, it's anyone who has access to our systems, our data, our information that could use that for their own gain or the gain for somebody else.
So tell our audience the common motivations or factors that you've seen that lead individuals to become insider threats and then how understanding those motivations help on identifying and mitigating those risks.
So I call it the 10-80-10 rule. I talked earlier of there are people that are just wired
to find the holes in your organization. That's about 10% of your employees.
Sometimes that's data theft. Sometimes that could actually be money theft. That's also
why you put controls in place. Typically, those controls are going to catch people where it starts
with a dollar or two, and then eventually they get more and more bold, and then they trip a control
later on. The other 10% of people that are on the other opposite end of that spectrum are people that
we never have to worry about.
They will never steal from the organization.
As a matter of fact, they won't even borrow a pencil and take it home.
It's just not how they're wired, and they refuse to do it.
To me, those two sides are very easy.
You have the ones that are just going to get bold and eventually screw up.
And then you've got others that you never have to worry about.
The hard part is the 80% in the middle. And the reason why is many of them will never become insider threats, ever. But all it takes is a change in their circumstances,
a change in the organization, and all of a sudden, the thoughts creep in.
That seed of motivation, the 80% are the hardest to find.
So what are some of those key indicators or behavioral patterns that organizations should be aware of when trying to identify those insiders in their workforce?
should be aware of when trying to identify those insiders in their workforce? It's crucial for the management to know their employees and for the SOC to be in communication with that management
and track normal across an organization. Having something that does behavioral tracking
is absolutely crucial. What is insider threat for HR? What is insider threat
for accounting, for IT? When we're using digital assets, we are creating a profile of what is
normal. If we're not able to track that, then when a user deviates from that normal, we're not going to catch those beginning indicators.
CISOs need to leverage the business units.
Having that baseline on behavior immediately is one of the most important things an organization should do.
But that's just my opinion.
It's absolutely true, David. And so when you look at this, that baseline in comparison not only to themselves, but their organization and their peers is going to be truly enlightening to the SOC.
Being able to evaluate an individual against their peer groups is going to be crucial to see whether or not they're really deviating
from their norm. Chris, thanks for joining me today on Threat Vector. We'll be back on
Cyber Wire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.
That's host David Moulton speaking with Chris Tillett of Palo Alto Networks as part of our Threat Vector segment.
And I'm pleased to be joined once again by Eric Goldstein.
He is Executive Assistant Director at CISA.
Eric, it's always a pleasure to welcome you back to the show. I want to touch base with you today on where we stand when it comes to ransomware
and some of the partnerships that you and your colleagues there at CISA have taken on.
Thanks so much, David. It's really great to be here, particularly about this important topic.
Over the past year or so, we at CISA and our partners across the U.S. government
realized that although we've provided guidance, best practices, assessments to help organizations
secure themselves against ransomware
and against the epidemic that keeps affecting far too many organizations across sectors.
We need to do more to measurably address the threat and risk that we're all facing.
And so we've stood up two programs over the past year that have been remarkably impactful.
The first is a program that was actually authorized
by Congress last year called our Ransomware Vulnerability Warning Pilot. And the way this
program works is we know that there are specific vulnerabilities that are targeted time and again
by ransomware actors. They have the vulnerabilities that they like to achieve their goals. They're
going to keep coming back to it again and again. And one recent example this summer, of course, is the targeting of the
vulnerability in the MoveIt managed file transfer application by the Klopp gang. With this ransomware
vulnerability warning pilot, we scan internet-facing assets for thousands of organizations
across the country to identify if they are running vulnerable assets
that are targeted by ransomware actors. And if we find one, then one of our regional team members
pronto gets on the phone or even knocks on a door and tells the organization, hey, you really want
to mitigate or patch or take offline this asset before a ransomware actor comes around and creates
a really hard day for your organization and your customers. And at this point, we've notified over 500 organizations
of these vulnerabilities and driven hundreds of mitigation steps that otherwise wouldn't have
occurred. But we also know that even with that program, there are still too many intrusions
happening every day. But we also know that with ransomware actors,
the way they operate is actually similar to other threat actors in which they'll gain initial access,
but then they often don't immediately exfiltrate data. They often don't immediately encrypt data.
They'll often move around the network for hours, even days, to find that high-value asset that they
think they can monetize for the most ransom
for the victim.
And that gives us a window.
And so what we've been able to do is build partnerships with security researchers, cybersecurity
companies, and government agencies who can actually see when a ransomware actor executes
an intrusion on a victim organization, on a school district, on a hospital, on a small
business, and they'll let us know the moment that they see that intrusion on a victim organization, on a school district, on a hospital, on a small business,
and they'll let us know the moment that they see that intrusion occur. And that gives us a short window where we can get out to that victim and we can say, here's some technical information about
the intrusion. Here's the host ID. Here's the IP address of the actress command and control
infrastructure. Here's the credentials they're using. If you take these very specific remediation steps right now, you might actually be able to avoid harm.
This has been extraordinarily impactful. Just this calendar year alone, we've done 430 of these
notifications, including over 30 K-12 school districts, 50 higher education institutions,
K-12 school districts, 50 higher education institutions, and over 40 hospitals around the country. And a very neat one here, we've also done over 80 notifications to international
organizations across 19 different countries. And most of these, we were able to get to fast enough
that we could actually prevent harm. Now, obviously, this needs to scale, it needs to broaden,
but both these programs are ways that we can actively show risk reduction against the cybersecurity threat.
It really does, to me, seem like a great example of success in this whole notion of
public-private partnership. That's exactly right. Particularly,
the second program, the pre-ransomware notification initiative, is predicated entirely on really two things.
The trusted partnerships that we have built with security researchers and cybersecurity companies who don't receive any compensation or other benefits.
help organizations that are being impacted by ransomware, as well as the partnerships that our regional team members at CISA have built with organizations around the country, such that when
an organization gets a call from a CISA team member, they take it seriously and take quick
action to address the threat before harm occurs. Are we at the point where CISA's reputation
precedes itself, where if someone out of the blue gets a call from the agency that they're not left wondering, who the heck are you and why are you calling me?
CISA remains a fairly new agency.
And although we do everything we can to make sure that our brand is out there and we have name recognition, there are certainly still organizations around there who have never heard of CISA or even thought about ransomware risks.
And so that's why it's so important for us to have this regional workforce.
So even if someone's never heard of CISA, perhaps our regional cyber advisor knows somebody who knows somebody who knows that enterprise
and can actually get in there for a trusted conversation to encourage them to take quick action.
For folks in our audience who want to learn more, is there a best place for them to reach out? There absolutely is. We have a one-stop
shop for information about all of our counter-ransomware initiatives. It is stopransomware.gov,
and that is a great place to access both our guidance and to sign up for the ransomware
vulnerability warning pilot.
All right. Eric Goldstein is Executive Assistant Director at CISA.
Eric, thanks so much for taking the time for us.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us
ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. This episode was produced by Liz Ervin and
senior producer Jennifer Iben. Our mixer is me with original music by Elliot Peltzman.
The show is written by our editorial staff. Our executive editor is Peter Kilpie,
and I'm Trey Hester filling in for Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.