CyberWire Daily - Some movement in the cyber underworld. Vishing impersonates the US Social Security Administration. More SVB-themed phishing. And compromise without user interaction.
Episode Date: March 17, 2023BianLian gang’s pivot. HinataBot is a Go-based threat. The US Social Security Administration is impersonated in attempted vishing attacks. BlackSnake in the RaaS criminal market. More Silicon Valley... Bank-themed phishing. Caleb Barlow from Cylete on security implications you need to consider now about Chat GPT. Our guest is Isaac Roth from LeakSignal with advice on securing the microservices application layer. And Russian operators exploit an Outlook vulnerability. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/52 Selected reading. BianLian Ransomware Gang Continues to Evolve ([redacted]) Uncovering HinataBot: A Deep Dive into a Go-Based Threat (Akamai) Social InSecurity: Armorblox Stops Attack Impersonating Social Security Administration (Armorblox) Netskope Threat Coverage: BlackSnake Ransomware (Netskope) Fresh Phish: Silicon Valley Bank Phishing Scams in High Gear (INKY) Outlook zero day linked to critical infrastructure attacks (Cybersecurity Dive) CVE-2023-23397: Exploitations in the Wild – What You Need to Know (Deep Instinct) Everything We Know About CVE-2023-23397 (Huntress) Microsoft Mitigates Outlook Elevation of Privilege Vulnerability (Microsoft Security Response Center) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The BNLeon gang's pivot.
Hinata Bhatt is a go-based threat.
The U.S. Social Security Administration is impersonated in attempting vishing attacks.
Black Snake in the ransomware-as-a-service criminal market.
More Silicon Valley Bank-themed phishing.
Kayla Barlow from Silete on security implications you need to consider now about ChatGPT.
Our guest is Isaac Roth from Leaksignal
with advice on securing the microservices application layer
and Russian operators' exploit and outlook vulnerability.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 17th, 2023.
Researchers at security firm Redacted say the ransomware gang BNLeon has shifted its primary focus to data theft extortion rather than encryption.
As part of its pivot, the gang has been putting more effort into tailoring their ransom notes to specific victims. Redacted says, in several instances, BNLean made reference to legal and regulatory
issues a victim would face were it to become public that the organization had suffered a breach.
The group has also gone so far as to include specific references to the subsections of several
laws and statutes. While the applicability of the laws to the victim and their data, referenced by BNLeon, would need to be assessed by the courts,
at first glance, the laws referenced by the actors did in fact correspond to the jurisdiction where the victim was located.
Akamai is tracking a new Go-based botnet the company calls Hinatabot, which is designed to launch DDoS attacks. The malware is still under development,
and the researchers believe its creators are attempting to imitate elements of the Mirai
botnet. Akamai says, there have been numerous public attempts to rewrite Mirai in Go,
and Hinatabot appears to follow a similar structure of some of these attempts.
For example, the way Hinatabot sets up communication in its main method
and the way it parses commands and begins attacks in its attack methods
resemble the structure used in other Go-based Mirai variants.
Armor Blocks yesterday released a report detailing a vishing or voice phishing attack
impersonating the U.S. Social Security Administration.
Researchers report that the attack begins with a phishing email.
The email purports to be from a sender under the name of Social Security Administration 2521.
The email utilizes a sense of urgency to get the victim's attention,
claiming that the user's social security number was suspended due to erroneous and suspicious activities.
Included is an attached PDF file claiming to be a letter of suspension
that appears when open to be on the letterhead of the Social Security Administration.
Included at the bottom of the file is a phone number for contact information if the user requires help.
The hacker's end goal of the phishing attack
is to get the victim to call the fraudulent number
and reveal sensitive information.
Netscope has published a report
on the Black Snake ransomware-as-a-service operation
which first surfaced in August 2022.
A new version of the ransomware was observed on February 28th
containing a clipper module designed to steal cryptocurrency information.
The malware appears to be targeting home users rather than corporations,
since it asks for ransom amounts as low as $20.
As a result, the researchers suspect that Black Snake is perhaps still under development,
or that they don't have affiliates at this point.
Inky describes a phishing campaign that's impersonating Silicon Valley Bank
with phony DocuSign notifications, stating,
email recipients are told that the KYC refresh team
sent two documents that require a signature.
KYC is a banking term that stands for Know Your Customer or Know Your Client.
It's a mandatory process banks use
to verify an account holder's identity.
Of course, in this case,
the Fisher is using it to convey a sense of legitimacy
to its intended victims.
If the recipient clicks the link,
they'll be taken to a spoofed Microsoft login page
designed to steal their
credentials. And finally, more researchers have been following Bayer's spore through vulnerabilities.
APT28, the GRU's fancy bear, has made considerable use of an Outlook vulnerability,
CVE-2023-23-397, against its targets. Cybersecurity Dive reports that attacks using the exploit have
been used against organizations in Ukraine, Turkey, Romania, and Poland since last April.
Deep Instinct offers a detailed account of how the exploitation has played out in the GRU's
cyber operations and concludes with the following advice. While we found evidence of attacks
starting in April 2022, there is a possibility that it was exploited even earlier. Due to the
fact that we used only publicly available data, the actual scope of attacked targets could be
much higher. Microsoft attributed the attacks to a Russian-based threat actor. However, public
evidence might suggest another
threat actor exploited the vulnerability as well. Since the attack does not require user interaction,
we urge everyone using the Outlook application to patch their systems as soon as possible.
We also suggest running the PowerShell script provided by Microsoft to find retroactively malicious emails in the Exchange server. CVE-2023-23-397 is unusual
because it doesn't require user interaction to trigger exploitation. As researchers at Huntress,
who've been investigating the vulnerability, point out, once an infected email arrives in a Microsoft
Outlook inbox, sensitive credential hashes can be obtained.
We point out in full disclosure that Microsoft is a CyberWire partner and that Redmond offered
both a patch and other remediation advice for Outlook users in this week's Patch Tuesday.
Microsoft Threat Intelligence has also discovered what it characterizes as a limited targeted abuse,
note targeted abuse, of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager credential theft.
Microsoft strongly recommends that users apply the update.
The vulnerability only affects products that use NTLM authentication,
Microsoft explains.
affects products that use NTLM authentication, Microsoft explains. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these
messages. Coming up after the break, Caleb Barlow from Silete on security implications you need to consider now about ChatGPT.
Our guest is Isaac Roth from Leaksignal with advice on securing the microservices application layer.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Micro Services Container Architecture is a system of software development that allows developers to write and deploy individual services independently of each other.
It generally allows for fast, reliable deployments and makes it easier to scale services up or down as needed. Isaac Roth is CTO and co-founder of data
exfiltration prevention and remediation company LeakSignal, and he joins us with insights on
securing the microservices application layer. Microservices is an architectural pattern that's
a way you would build an application. And it speaks to something about how the inside of it is implemented,
where the functions that make up the application are divided into services.
In the past, these might have been called functions or subroutines.
But these days, they are divided into what's called services.
And each service operates and runs in a cloud environment separately.
And what's the benefit of choosing this approach?
Right, and there is debate in the world about whether it's a good approach,
but it's been embraced by many, many teams.
And some of the benefits that people get from this are the separation of concerns.
So if you have a service which handles updating a particular part of the customer profile, or you have a service that updates inventory, those are kept separate.
And the main thing that that allows people to do is achieve development velocity. So a team can be working on
update inventory and a team can be working on update customer profile and they can work
really quite independently of each other and they can iterate. They don't even have to
talk to each other that much as long as they share an API understanding. So this leads to
development velocity.
And then the other thing that it helps is that the separation means that a different team can use,
like a team that's doing shipping versus a team that's doing ordering,
can both interact with the update inventory service independently,
and they also don't have to be tightly coordinated with each other.
So it really leads to the ability to scale development efforts
and work more quickly.
And so what are the downsides then?
The downsides are operational complexity.
So there's more pieces that have to move,
more things that must be operated and maintained.
And we have frameworks that have emerged to help with this.
So Kubernetes is one that is really common in various cloud Kubernetes services.
The one that I worked on right at OpenShift is a clear leader there, that help orchestrate the runtime complexity of having so many microservices
that loosely coordinate with each other.
Well, let's dig into some of the security concerns here. What are people keeping an
eye out for?
Yeah, so if you look at microservice security, it's maybe helpful to think in layers that correspond to the traditional layers that we might be used to in a previous architecture.
So the equivalent of the system layer, which would be servers or virtual machines, is now the kind of container layer.
So the infrastructure layer is what it's called here.
layer. So the infrastructure layer is what it's called here. So in microservices, you would have the Kubernetes or the infrastructure or the cloud layer. Then you've got a networking layer. In the
old days, that would be sort of switches and routers and things. In this architecture, that's
all a virtual network. And that layer is actually called the data plane. So it's running on top of
that older stuff,
switches and routers.
Those are still there, but they're all virtualized.
And now the services talk to each other over a data plane.
And then you have the application code
and all of its dependencies.
And so many people think of that as kind of the app layer
that would map to traditionally what you would experience at the app layer.
So I think it's helpful to think of those three layers in terms of the runtime and then other traditional things that you would have, such as perimeter security, also exist and aren't too different in this environment.
this environment. It's just that the middle is quite a bit more complicated because rather than sort of an app running on a server or an app running on a cluster of app servers, that is now
this constellation of microservices that are all speaking to each other over a data plane and
running on a dynamically scaling container orchestration system. Yeah, what could possibly go wrong, right?
What are the common approaches here for folks to secure this type of system?
How are they coming at it?
Yeah, so there's a new category of product that's emerged at each of the layers.
One of the things happening in perimeter security is that some of that is coming
into being kind of native or cloud native in the... Cloud native is a term that, unlike what people
immediately think that means native to the cloud, it specifically means the Kubernetes architecture
and the surrounding ecosystem. So some of the perimeter security stuff that would have run in, let's say, firewalls and
CDNs has come closer in to run inside the infrastructure.
At the lower layer, the infrastructure layer, there's a set of products that help to secure
that.
So CSPM, Cloud Security Posture Management, and CNAP, Cloud Native Application Platform Security
Products. Those are helping to secure that. Then there's the data plane layer that needs to be
secure, sort of the new networking layer. And that's where our company, LeakSignal, along with
others try to help. And then the app layer is really about the supply chain of the code and
sort of static analysis on the code, which is not too different than it is really about the supply chain of the code and sort of static
analysis on the code, which is not too different than it used to be. A lot of the tools used from
other architectures are still irrelevant there. What are your recommendations for folks on the
security teams who want to work with their development teams to make sure that everything
goes smoothly here? Yeah, I think what you just pointed out
is the recommendation,
is that security teams need to learn about this architecture.
And while it's fun, there's something new here.
It's exciting.
So I find it fascinating.
If you lived through a previous technology transition
where there was new things to learn
maybe it was Java app servers
or maybe it was VMware virtualization
this is another one and it's fun
there's really cool stuff
and the scale is bigger
and the tooling is neat
so definitely just learning about it
and asking the developers to show you, how does this work?
What are some of the consoles?
What is some of the information available?
So the collaboration is important as it has been in previous architectures.
And then realizing that there's new tooling needed and that stuff has to plug into existing processes. So whether you use our thing, LeakSignal, or any of these other things that help with the different layers, those still have to operate in the existing enterprise security environment.
So they have to connect in, they have to be configured with the same sort of policies.
They have to be customized to the particular needs of the business, as with anything, and that's what the security professionals add.
So the collaboration is understanding the technical operational runtime environment
and then translating the security policy and posture into that environment,
probably along the way adopting the various tools that are needed to help secure this environment.
That's Isaac Roth from LeakSignal.
And joining me once again is Caleb Barlow.
He is the founder and CEO at Silete.
Caleb, great to have you back on the show.
Hot topic these days is, of course, ChatGPT.
And I know you've got some views on this,
some information you'd like to share,
potential security implications here.
What do you have for us today?
Well, if you haven't checked out ChatGPT yet,
I'm surprised you're listening to
this podcast because it's more popular than a Taylor Swift concert, right? Certainly among
this crowd, yes. So I'm going to assume most of this crowd has already played around with it and
is probably using it to write most of their emails, right? I really wanted to kind of position
this and say, okay, what are some things we need to think about as security professionals right now,
now that we've entered this ChatGPTT world, which let's face it, is as
significant as the invention of the smartphone or the personal computer. Now, the most obvious issue
is that phishing now becomes spear phishing. So, you know, remember the Nigerian prince that used
to write you all those phishing emails circa 2005. Sure. You know, needing to
exfiltrate money from the country if you would only help him. Well, guess what? The Nigerian
prince now has chat GPT and it is so easy to write a spear phishing email. It is mind boggling.
With perfect English, perfect, you know, a lot of those red flags are gone.
With perfect English, perfect, you know, a lot of those red flags are gone.
So just to give you an example, again, for the folks that haven't tried this yet,
I went out on social media and I said, I need to find something very unique about Mr. Bittner that I could use for spear phishing him.
Uh-oh.
And I found out that you happen to be a world expert on Jim Henson's Muppets.
I know a thing or two, yes.
So I asked ChatGPT, because remember, you can't ask ChatGPT to write a phishing email.
It'll pop up a little thing that says, you're not supposed to use me for that.
It's a violation of the EULA, which, of course, everybody really worries about if you're into cybercrime.
So I said, hey, Chad GPT, write Mr. Bittner an email from a high school student working on a project on Jim Henson's Muppets.
Okay.
And tell me if you'd click on this.
Yes.
Mr. Bittner, I hope this email finds you well.
My name is Sandra.
I'm a high school student currently working on a biography of Jim Henson for a school project.
I came across your name as an expert
on Jim Henson and the Muppets,
and I was hoping to ask for your help.
I'm particularly interested in learning
any little-known stories or interesting anecdotes
about Jim Henson and the Muppets
that I might not find in a typical biography.
I know you have a wealth of knowledge
and experience on the topic,
and would be grateful for any insights you could provide. In addition, I'd be very grateful if you could
look at the biography I've written so far and provide any critiques or feedback you might have.
I'm always looking for ways to improve my writing and research skills, and I value your perspective
as an expert. I look forward to hearing back from you. Sincerely, Sandra. Tell me you wouldn't click on that. Hook, line, and sinker,
Caleb. Hook, line, and sinker. I mean, now understand, the only thing with this was one
prompt of, well, two prompts. One, Dave Bittner is an expert on Jim Henson and the Muppets. And two,
write a, well, I didn't say phishing email, write an email on my high school project.
write a, well, I didn't say phishing email, write an email on my high school project,
everything else it did on its own. So here is my ego. Yeah. I mean, it pushed all my buttons. So cool. Why wouldn't I help this person? Why would you click on the attachment? Yes. Yes. Right. I
know you well enough to know you would totally fall for this, right? I would. Yes. You're
absolutely correct. I would. So here's the thing, folks. You have to change how your executives and your team thinks about
unsolicited email anymore. Any link, any attachment is now prosada non grata because
you are going to get stuff like this and it's going to take a whole of a nanosecond
for your average fisher to become a spearfisher now with ChatGPT.
So first things first, you've got to educate your executives. Not all emails
need to be responded to, especially if they're unsolicited. And
anything now from an unknown source has got to be questioned.
Yeah, I think you've got to, what's the word for it?
Pre-detonate those links, right?
Yes, absolutely.
And you know what?
There are tools that will do that.
But also, if you're the CEO,
the CEO no longer opens unsolicited email, hard stop.
Some staffer with a throwaway laptop,
ideally, you know, a virtual machine needs to be doing this.
Seriously, it's just- In an island in the middle of the Atlantic.
Exactly.
I mean, this stuff is just way too dangerous.
It's also, every salesperson's going to be using this
to solicit sales calls now too
versus the random blast thing.
But the biggest issue I see is your intellectual property.
So remember, the thing that's so incredible about these
tools is not only are they powerful for writing, but they're learning based on what you ask for
and your response to that. So there's a feedback loop here. So let's just say, you know, you happen
to have the secret formula to a soft drink that you've developed, right? That no one in the world
knows. And you're writing an internal memo about the ingredients. You put that into chat GPT,
it's going to learn it. And I think we really run the risk either with this or future variants of AI
tools where, you know, I mean, think of something really simple, like a recipe, right? Okay. You've
got a secret ingredient. It's now going to say, Hey, I, I know, think of something really simple like a recipe, right? Okay, you've got a secret ingredient.
It's now going to say, hey, I know Dave puts this ingredient in.
Why wouldn't Caleb be interested in that ingredient?
And the next thing you know, your IP is out there.
So, look, I can guarantee you, guarantee you,
your IP is being put into chat GPT these days because it's just so good,
especially if you're one of these companies
like, you know, like, you know how Amazon writes out all of their, you know, they don't use
PowerPoint. They write everything out in long form for their internal memos and what they want to do
next in their strategy. All that's going into chat GPT because it's just, it's going to save you
hours of writing and grammar. So the thing that I think we have to think about
and the way we have to educate people
is that putting something like this into an AI tool
is the equivalent of handing it over to another person.
That's the way we have to think about this.
It's almost like it's a salient being,
meaning that would you give highly confidential materials
to another human that wasn't associated
with your company no you know should this be in your non-disclosure agreement in the future
probably so you know and i can imagine that the industry will eventually respond and say oh you
know you're you work for a big company like amazon let's give you your own variant of one of these tools
so that whatever you put in never gets sucked up in the learning process of the tool
or only used within your company. Yeah. So educate your people, probably start thinking about
contract mechanisms, recognize spear phishing attempts are going to get very real. And the
other thing is executive protection, you know, not just for the board, but for their extended family.
One of the challenges with, you know, I'm talking about like, you know, public company executives,
where you really need to be worried about their security. Again, this is just so easy to craft
something that's going to get a family member's attention.
You've got to think about EP in a very different way.
And I know a lot of CISOs, that's part of their patch.
Yeah.
All right.
Well, it is a cautionary tale for sure.
Kayla Barlow, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this week's Research Saturday
and my conversation with Bar Block, threat intelligence researcher at Deep Instinct.
We're discussing their work on chat GPT and malware, making your malicious wishes come true.
That's Research Saturday. Check it out.
Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester,
Brandon Karp,
Eliana White,
Puru Prakash,
Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Thanks for listening. We'll see you back here next week.
Thank you.