CyberWire Daily - Shopping during wartime? Focus, people.
Episode Date: November 16, 2023Cyber safety for the holidays. Using regulatory risk to pressure a ransomware victim. A call for regulatory action against a supply chain threat. Rhysida malware: a warning and a description. Extendin...g local breaches in Google Workspace. Protestware in open-source products. GRU's Sandworm implicated in campaign against Danish electrical power providers. Jason Meller, Founder & CEO of Kolide joins us as part of our sponsored Industry Voices segment to discuss the findings from The Shadow IT Report. In this Threat Vector segment, David Moulton sits down with Sama Manchanda, a consultant at Unit 42 to discuss the fascinating world of social engineering attacks. And donation scams: exploiting sympathy. In this Threat Vector segment, David Moulton engages in an enlightening conversation with Sama Manchanda, a consultant at Unit 42. The duo embarks on an exploration of the fascinating world of social engineering attacks, delving into the distinct characteristics of phishing, smishing, and vishing. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/219 Threat Vector Please share your thoughts with us for future Threat Vector segments by taking our brief survey. To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin. Selected reading. New Visa Report Tells Consumers to Stay Alert this Holiday Shopping Season (Business Wire) Ransomware gang files SEC complaint over victim’s undisclosed breach (BleepingComputer) 11-14-2023 EFF Letter to FTC re: Malware on Android TV Set-Top Boxes (EFF) #StopRansomware: Rhysida Ransomware (Cybersecurity and Infrastructure Security Agency | CISA) Investigating the New Rhysida Ransomware (Fortinet Blog) Analyzing Rhysida Ransomware Intrusion (Fortinet Blog) The Chain Reaction: New Methods for Extending Local Breaches in Google Workspace (Bitdefender) Protestware taps npm to call out wars in Ukraine, Gaza (ReversingLabs) Russia's Sandworm Linked to Unprecedented Danish Energy Hack (Bloomberg). Russian Hackers Linked to 'Largest Ever Cyber Attack' on Danish Critical Infrastructure (The Hacker News) Denmark hit with largest cyberattack on record (Cybernews) Attackers Exploit Crisis for Fraudulent Crypto Donations (Abnormal) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber safety for the holidays.
Using regulatory risk to pressure a ransomware victim.
A call for regulatory action against a supply chain threat.
Reset a malware, a warning and a description.
Extending local breaches in Google Workspace.
Protestware in open source products.
GRU's Sandworm implicated in campaign against Danish electrical power providers.
Jason Meller, founder and CEO of Collide,
joins us as part of our sponsored Industry Voices segment
to discuss the findings from the Shadow IT report.
In this week's Threat Vector segment,
David Moulton sits down with Sema Machada,
a consultant at Unit 42,
to discuss the fascinating world of social engineering attacks
and donation scams exploiting sympathy.
I'm Trey Hester, filling in for Dave Bittner with your CyberWire Intel briefing for November 16th, 2023. We are just eight days away from Black Friday,
as many Americans have come to call the lonely shopping day after Thanksgiving,
so it's not too early to start thinking about staying safer online.
As you look for bargains galore, keep some advice from Visa in mind.
A report from Visa outlined cyber threats facing consumers during the holiday season.
Visa's data shows that for the top merchant categories targeted by fraudsters,
2022 holiday fraud rates increased 11% over their non-holiday fraud rate
and saw an increase of 8% over the previous year during this
time. The report warns users to be on the lookout for digital skimming, phishing, social engineering,
ATM and POS skimming, one-time passcode bypass, provisioning fraud, and physical theft.
Bleeping Computer reports that the Black Cat ransomware gang has dimed out one of its claimed
victims to the U.S. Securities and Exchange Commission.
Their victim, the criminals allege, failed to disclose a cyber incident that had a material impact on its business by filing an 8K within the prescribed four days.
Black Cat claimed to have stolen data from software company Meridian Link on November 7th.
Meridian Link has not paid, so the gang has reported the company to the SEC.
However, Meridian Link states that they have found no evidence of data loss.
The gang received an automated reply from the SEC, but it's unlikely their complaint will be found to have merit.
For one thing, the SEC's new disclosure rule does not take formal effect until December 15th,
even though companies are already adjusting their practices to come into compliance.
And for another thing,
public companies will be required to disclose attacks that have had a material impact.
The Electronic Frontier Foundation has asked the Federal Trade Commission to stop resellers from selling set-top Android boxes and mobile devices known to be compromised with malware. The ban the
EFF advocates would affect devices manufactured by Allwinner and Rockchip.
These devices, the EFF says, were found by human researchers to be infected by bad box malware.
The infected devices can also be used to stage other attacks without their owner's knowledge
and expose them to legal risk as well as ordinary cyber risk.
The EFF argues that this supply chain problem is a consumer protection issue,
which therefore clearly lies within the FTC's remit.
CISA, the FBI, and the Multistate Information Sharing and Analysis Center have released a
joint cybersecurity advisory describing the Reseda ransomware-as-a-service operation.
The advisory states that Reseda actors have compromised organizations in education,
manufacturing, information technology, and government sectors, and any ransom pay to split between the group and affiliates.
Reseda actors leverage external facing remote services such as VPNs, zero logon vulnerability, and phishing campaigns to gain initial access and persistence within the network.
Fortinet has published an analysis of the RISDA intrusion, noting, quote, the majority of the TTPs employed by the threat actor during this
intrusion are typical of these types of ransomware intrusions, and no novel techniques were observed.
While the threat actor may have had more sophisticated TTPs within their repertoire,
in this case, they were able to achieve their outcome using exclusively unsophisticated known TTPs.
As ransomware and extortion-based attacks continue to affect thousands of victims like this one across the globe every day,
organizations should focus on ensuring they can detect more of the basic TTPs employed throughout this intrusion.
Researchers at Bitdefender have uncovered previously unknown attack methods
for escalating a compromise from
a single endpoint to a network-wide breach in Google Workspace. The technique involves an
OAuth 2.0 refresh token stored by Google Credential Provider for Windows. The refresh token follows a
two-step storage process. First, it's temporarily stored in the registry, and later finds a more
permanent home under the user's Chrome profile.
Decrypting it is possible from both locations, each with its own set of pros and cons.
The registry approach is stealthier, offering a discrete way of accessing the token.
However, it does have a drawback. It's only available for a limited time.
On the other hand, the profile-based storage method provides a more extended time frame for access,
but it's harder to conceal, making it a noisier option.
Reversing Labs today draws attention to the phenomenon of protestware, that is, the practice of concealing scripts advocating for some political position in NPM packages embedded
in open-source software. The message is commonly displayed after a user installs or executes the
software.
Reversing Labs states that although the latest packages are not malicious,
they underscore a persistent risk in open-source software in which unintended and malicious features can lurk undetected,
even in widely used applications.
The two campaigns discussed in the report are being run separately
in the Palestinian and Ukrainian interests,
and while protestware
tends to shadow current events, it's not confined to the fighting in Ukraine or Gaza.
SectorCert, Denmark's cybersecurity center for the critical sectors, this week described what
it characterized as the largest cyber attack on record against the country's critical infrastructure.
In May of this year, an APT group, which SectorCert
associates with Sandworm, simultaneously hit 22 companies in Denmark's highly decentralized
electric power sector. The attacks, which began on May 11 and continued into the last week of
this month, exploited CVE-2023-28771, a critical command injection flaw affecting Zyxel firewalls. The vulnerability had been
disclosed and addressed in late April, but the attackers were able to find enough unpatched
systems to gain access. The attack was ultimately detected and stopped without disruption to the
power distribution, but it seems to have been aimed at gaining comprehensive access to Denmark's grid.
The attacks proper were preceded by a reconnaissance phase that began
in January. A simultaneous attack against so many targets suggests both careful planning and
determined execution. SectorCert properly notes the difficulties of attribution and stops short
of saying the incident was the work of Russia's GRU. But on form, it certainly looks like a
sandworm operation. Similar attacks have been mounted against Ukraine's power grid,
and the incident in Denmark strongly suggests that infrastructure
in what Moscow tends to call the collective West
can be expected to figure in Russian target lists.
And finally, abnormal security this morning described a continuing criminal campaign
that lures its victims with fish bait that appeals for donations
to ease the
plight of Palestinian children suffering the present war between Hamas and Israel. The phishing
email contains neither malicious attachments nor malicious links. Instead, it simply asks that
contributions be deposited in cryptocurrency wallets specified in the email. Donations are
accepted in Bitcoin, Litecoin, or Ethereum. The email is generally well-written in idiomatic American English,
lacking the usual stigmata of non-standard grammar and awkward usage.
To lend credibility to the appeal,
the scammers include links to real resources
describing shortages of clean water and medicine.
Coming up after the break, Jason Meller, founder and CEO of Collide, joins us as part of our sponsored Industry Voices segment to discuss the findings from the Shadow IT Report.
In this week's Threat Vector segment, David Moulton sits down with Sama Machada,
a consultant at Unit 42, to discuss the fascinating world of
social engineering attacks. Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital
executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
I stumbled into cybersecurity by accident. I actually switched majors six times in college and happened to find a class that was an intro to cybersecurity class.
It was an elective called From Hackers to CEOs, Intro to Information Security.
And I was like, oh, that sounds fun.
I took the two unit elective and the rest was history.
I absolutely fell in love with it.
And that completely changed the trajectory of my life.
Welcome to Threat Factor, a segment where Unit 42 shares unique threat intelligence insights,
new threat actor TPTs, and real-world case studies.
Unit 42 is a global team of threat intelligence experts, incident responders, and proactive
security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for Unit 42.
In today's episode, I'm going to talk with Moulton, Director of Thought Leadership for Uni42.
In today's episode, I'm going to talk with Sama Manchenda.
Sama is a consultant at Uni42.
She's hyper-competitive in the video game Just Dance and will take on anyone with the song Rasputin.
Sama, where are you recording from today?
I am recording from Austin, Texas.
When you and I were thinking about the show, you pitched me on this idea of the ish tales,
the smishing, the vishing, the phishing,
and that dual view on social engineering.
But help me understand,
what's going on with those different ishings?
They're all, all three of them are different types of social engineering attacks.
Phishing being the most common is related to email
or usually targeting
users to click on a link of some kind. Smishing is similar, just uses texting or SMS instead.
And then phishing is over the phone usually. It involves some level of talking to another person
and trying to do some actual interaction with them to gain access or gain information of some kind.
From an offensive security perspective, what strategies or techniques do attackers often employ
to make their social engineering attacks more successful?
Some of the tactics that make a lot of these attackers more successful are more thorough research
and a more tailored approach to the environment. So those nitty gritty details of figuring out exactly what process or what system
is in place can help establish that trust, establish that rapport with the end user and
make them think that this is more believable or this isn't something of high concern. For example,
with phishing, knowing
exactly the type of email provider that they're using or VPN provider or something like that,
and having somebody reset their credentials, if they see the right logo, if they see the right
tool or whatever, they're more likely to fall for that attack and enter their credentials versus,
if I'm a Microsoft 365 user and, you know, this is a
phishing email for Gmail, they're more likely to immediately off the bat recognize something is off.
For phishing, the fact that you know about employees to sort of convince a help desk
employee that you are in fact this other employee. And you can say like, oh, okay, well, I know I'm
supposed to have this running on my system or, you system or I know that Cortex XDR is running on my system, for example.
That establishes some level of trust with the help desk person that, oh, okay, this person's actually looking at their laptop and actually is running tools that they're supposed to be.
As you were saying this, one of the things that has stuck out to me when I've got a phishing email that tells me that my Windows machine has been infected,
I always chuckle to myself because I only use a little iPad as my personal device.
Could you share some insights on the deeper side, the digital forensics and incident response,
how social engineering attacks like phishing are used as attack factors in larger networks and intrusion cases.
So we very commonly see things like phishing, phishing, phishing.
And mainly we see them as like an initial intrusion vector.
And we also sometimes see it as a way for them to move laterally or move around
and try and basically spread themselves further in an environment.
In the cases of phishing and phishing, we've seen a bunch of large engagements where attackers have done their due diligence
with reconnaissance and targeted large numbers of employees with emails or texts, directing them to
click malicious links and enter their credentials. On the phishing side, we've seen engagements where
attackers have targeted IT support staff and are able to either gain access to user accounts by impersonating users and saying, hey, I need help with my password.
Can you reset it?
We've seen cases where the attackers are actually able to trick the IT support staff into granting them access as well.
And like those are those are really dangerous.
Help the listener understand what's the most important thing that they should be taking away from this conversation.
So continuously training and educating people to be aware and to be alert and to just question, you know, when things aren't quite right is the biggest thing, I think.
The sad truth of security is that end users like people you and me, are the most vulnerable part of any
company. And that includes people, again, even with a lot of training, people still make mistakes.
Having a culture where employees feel safe to raise those questions and self-report
is, I think, just as important as having the training in place.
If somebody's afraid to report that they have made a mistake or something doesn't seem right,
If somebody's afraid to report that they have made a mistake or something doesn't seem right,
all that creates more time in which an attacker has unfettered access to the environment.
So it sounds like if you're trying to put together a security culture in your organization,
find a way to give people the confidence that when they have made a mistake or think they've made a mistake,
that it isn't retaliation or a punishment.
Yeah, absolutely.
Sama, thanks for joining me today on Threat Vector to share your tales of ishing. We'll be back on Cyber Wire Daily in two weeks.
Until then, stay secure, stay vigilant. Goodbye for now.
That's David Moulton speaking with Sama Machada, a consultant at Unit 42. Zero Trust Access Provider Collide recently published their Shadow IT report,
surveying over 300 IT security and business folks to learn more about what workers do on unmanaged devices.
Jason Meller is founder and CEO at Collide.
And in this sponsored Industry Voices interview, we dig in to some of the surprising details from the report.
Anytime that you put a report like this together, any survey,
you immediately regret not asking additional questions
because every survey that comes out, you immediately regret not asking additional questions because every survey
that comes out, you're just like, wow, this revealed so much. I wish I had asked X, Y,
and Z. But we did have the foresight to, I think, dig in the right areas to really understand
the crux of the problem, how pervasive it is, and effectively why it's occurring.
So the first stat that really surprised us was that 75% of the workforce
admitted to doing work on non-company-owned devices. And we always knew that that number
was going to be high, but to hear it be 75% of the workforce doing some amount of work
on non-company-owned devices was surprising to us. The next logical question we had after that,
because I think the first place I would go is,
oh, this must be happening on phones.
We're talking about mobile, we're talking about email,
or maybe even a little bit of chat.
We're not talking about real stuff,
and we're not talking about laptops.
Well, no, we found that a lot of the stuff
people admitted to doing wasn't just email.
It was effectively things that were really concerning, like cloud-based file sharing.
54% of respondents said that they were doing that on work devices.
Customer service, 46%.
Software development, so that's folks writing code.
29% folks admitted that they were doing that.
Even more concerning, managing cloud infrastructure.
So I'm talking about logging into Amazon, pushing things to production.
27% respondents said that they were doing that.
And we also had a whole segment in the survey talking about AI-based application use.
So ChatGPT, GitHub Copilot, things like that.
A quarter of folks said that they were using those tools on their personal devices.
So we see here that there is a major desire by these employees to use their personal devices
while they're working remotely or maybe even in the workplace to do their job.
And the next question we asked for that was why.
And the survey also revealed
that the number one reason people did this
was simply because they liked their device better.
That was the number one cited reason.
I expected to hear,
oh, it's because there's this onerous MDM solution,
or maybe I'm being surveilled.
No, it was just, I like my device better.'m being surveilled. No, it was just I like my device
better. I have a better Mac or whatever it was. That's what's getting folks to do this.
Wow, that's an interesting insight. I'm curious, how does this intersect with folks who are
investing in things like Zero Trust? Yeah, I think that the Zero Trust push right now
is really about recognizing that things have really changed
in the last three to four years.
Previously, and I remember this before I started Collide
when I was working at a big company,
my day-to-day experience was taking my work laptop,
signing into the VPN,
and about half the apps I needed to access
were in that private network.
And the other half the apps were SaaS apps.
But the ones that were in the network
were the most important ones
and wanted to lock those down.
It never occurred to me to take my VPN client
and put it on my personal device.
That always felt like a bridge too far.
But now you have organizations and you have end users
who are working from home.
Their personal laptop is right there.
And the majority of the work that they're doing
is on SaaS apps that are outside of the private network.
In fact, if they forget to connect to the VPN,
their experience in terms of what they're able to do
and not able to do is almost effectively the same.
So it's no surprise to me that folks then say,
well, why don't I just use my personal laptop for this?
Clearly, the IT and security team isn't asserting
any sort of technological protection
to stop that from happening.
So maybe implicitly, they're saying it's fine
because otherwise, wouldn't they do that?
So now you have folks that are doing that and they don't even know that it's bad. They're doing it with impunity and they're answering surveys like the one that we worked with dimensional research on and they're actually admitting to it.
I think that's really surprising to a lot of IT and security practitioners.
That's why we published the report.
to a lot of IT and security practitioners.
That's why we published the report.
I think it underscores the importance of any zero-trust goals or mission
that you have at your organization.
At the end of the day,
zero-trust is about ensuring
that not just the correct user is signing in,
but a big part of it is device trust,
ensuring that they're using the correct laptop.
The thing that we do at Collide
is we assist with that by not just using the correct laptop. And the thing that we do at Collide is we assist with that
by not just ensuring the right laptop is able to access the apps,
but that the laptop is in a state that the IT and security team really care about.
So is it patched? Is the browser patched?
Is there any sensitive data on that device that shouldn't be there?
Is it enrolled on the MDM? These are all things that we can detect.
And if they aren't
correct, we can actually block the device and then ask the end user to fix any issues before they're
allowed to sign in again. That I think is something folks should really start looking at because the
data is showing us that if you're not doing that, your end users are doing work on their personal
device, which is not good. Based on the information that you all gathered
here in the study, what are your recommendations? What do you hope people take away from it?
Well, I hope it kicks off a conversation between IT practitioners, security teams, and end users.
I think that a lot of this is happening, and there's an awareness that it could be happening
at a small amount or small level,
but at the end of the day,
it's the majority of their employees
are not using the right devices to sign in.
And I think that the conversation, I think, starts with,
okay, why is that bad?
Do we really care about that?
And we've tried to enumerate what are the risks.
Beyond the obvious, you don't want sensitive data from those apps to live on the device.
Every time a web browser makes a successful authentication attempt to any SaaS app, there is some transference of essentially authentication, like plain text credentials in the form of cookies. We've seen with the Okta hack and the MGM hack,
there is a big appetite for malware authors
and cyber criminals to harvest these credentials.
And you really want to be in a place
from an IT security perspective
where if you're trying to detect that style of malware
and those styles of attacks,
you want to do so on the devices that you've provisioned so that you can install things like CrowdStrike or other EDR tools.
If the end users are using their own tools out there or their own devices, you don't have any visibility or ownership of those devices, and you can't deploy a detection apparatus that's going to find those types of problems.
And all it takes is one or two of those cookies falling in the wrong hands.
They establish a session in a system they shouldn't have access to, and that could lead to a major incident.
I think we've done a great job as an industry
of forcing cybercriminals to a place where they have to now start
compromising endpoints to be able to sign into stuff.
Phishing is really hard to do now with phishing-resistant multi-factor
off, and there's less and less network-based attacks you can
deploy to get that level of access. All the good stuff is now on the device.
And now it's time to really have a discussion with
security leadership and end users that, hey, it may be more convenient
for you to use personal devices, but we can't properly protect the organization and you without some oversight
and management capability on those devices. That starts with making sure they're using the right
device to access the company's resources. That's Jason Meller, founder and CEO at Collide.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. anytime. Police have warned the protesters repeatedly, get back. CBC News brings the story
to you live. Hundreds of wildfires are burning. Be the first to know what's going on and what that
means for you and for Canada. This situation has changed very quickly. Helping make sense of the
world when it matters most. Stay in the know. Download the free CBC News app or visit cb n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is me with original music by Elliot Peltzman.
This show is written by our editorial staff.
Our executive editor is Peter Kilpie.
And I'm Trey Hester filling in for Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.