CyberWire Daily - State-sponsored and state-promoted cyber campaigns. A look at Royal ransomware. A new wave of BEC. Man-in-the-middle attacks rising.
Episode Date: May 9, 2023An analysis of Royal ransomware. PaperCut vulnerability detection methods can be bypassed. Man-in-the-middle phishing attacks are on the rise. A new wave of BEC attacks from an unexpected source. Thom...as Etheridge from CrowdStrike, has the latest threat landscape trends. Our guest is Dan Amiga of Island with insights on the enterprise browser category. And a look into recent Russian cyberattacks against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/89 Selected reading. Threat Assessment: Royal Ransomware (Unit 42) PaperCut Exploitation - A Different Path to Code Execution (VulnCheck) New PaperCut RCE exploit created that bypasses existing detections (Bleeping Computer) Man-in-the-Middle (MitM) attacks reaching inboxes increase 35% since 2022 (Cofense) Exploring the Rise of Israel-Based BEC Attacks (Abnormal Security) Russians launch mass cyber attack on online service for queueing to cross border by trucks (Ukrainska Pravda) Reverting UAC-0006: Mass distribution of SmokeLoader using the "accounts" theme (CERT-UA#6613) (CERT-UA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An analysis of royal ransomware.
Paper cut vulnerability detection methods can be bypassed.
Man-in-the-middle phishing attacks are on the rise.
A new wave of BEC attacks from an unexpected source.
Thomas Etheridge from CrowdStrike has the latest threat landscape trends.
Our guest is Dan Amiga of Island with insights on the enterprise browser category
and a look into recent Russian cyber attacks against Ukraine.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, May 9th, 2023.
Palo Alto Networks Unit 42 has analyzed the Royal Ransomware Group and published their findings this morning.
The gang responsible has been in operation since at least September of last year,
and it's got a lot of Conti Group alumni. They've been actively targeting infrastructure
and paying a lot of attention, unfortunately, to healthcare organizations. They've also been
seen targeting the city of Dallas, Texas,
the most prominent victim in a recent wave of attacks
against local governments in the United States and Europe.
Since Royal was discovered last year,
the gang has claimed responsibility for leaking data
of 157 organizations on their dump site.
They've also been observed hitting 14 organizations
within the education
sector, some as recently as this month. The Unit 42 researchers say that Royal Malware enters
through a batloader infection, which threat actors usually spread through search engine
optimization poisoning, and it proceeds by dropping a cobalt strike beacon as a precursor to the ransomware execution.
Researchers at VolnCheck have described a new attack method bad actors can use to exploit the paper-cut vulnerability discovered back in March.
The exploit bypasses detection methods like sysmon-based indicators, log file analysis, and network signatures.
like Sysmon-based indicators, log file analysis, and network signatures.
Exploitation of the original vulnerability imitates a normal administrator's login,
which is ignored by file log analysis detections.
Bleeping Computer explains, As for network signature detection methods,
these can be trivially bypassed if the attacker modifies the malicious HTTP request by adding an extra slash
or an arbitrary parameter into it. Microsoft has also described developments in paper cut
exploitation and state espionage services are involved. Redmond tweeted that the paper cut
flaws are currently being exploited by Iranian state-backed threat actors, including Mint Sandstorm and Mango Sandstorm.
Experts recommend that users update their papercut NG-MF versions,
as it seems detections are not a feasible option for this exploit.
Mitigations are available from papercut.
In a report released this morning,
researchers at CoFence Intelligence explained that
man-in-the-middle attacks, MTM for short, and more recently person-in-the-middle by many,
have increased by 35% between the first quarter of 2022 and the first quarter of 2023.
The threat actors are combining MTM attacks with credential phishing. The goal is to steal usernames, passwords, and session cookies to bypass multi-factor authentication.
95% of the observed attacks target Microsoft Office 365 authentication.
They also tend to use URL redirection, with a notable 89% of campaigns using at least one URL redirect and 55% using two or
more. These MTM phishing attacks evade standard secure connection processes used in most websites
by setting up two secure connections between the attacker and the victim and the attacker and the
desired website. The attackers then use a proxy login page to harvest credentials from the victim.
Do you associate business email compromise attacks with Nigerian gangs?
Well, okay, but there are plenty of other places these crooks work from,
like, for example, Israel, of all places.
Abnormal security reports arise in Israel-based business email compromise attacks,
while many BEC attacks are traceable to West Africa,
where their bumpkin cousin, the well-known Nigerian Prince scam, flourishes.
This threat actor, believed to have been active since at least 2021,
has no direct Nigerian ties.
The gang targets employees within an organization
by telling them that their
organization is working through an acquisition and needs their help with a required payment.
The threat actor assumes two false persone, one typically of the chief executive, the other of an
attorney working on mergers and acquisitions. At least 350 campaigns have been traced to this Israeli gang since February of 2021.
They've been observed to target large enterprises with high revenues.
Victims have been found in more than 61 countries.
Recent Russian cyber-ops against Ukraine seem to be either hacktivist or, frankly, criminal.
Ukrainska Pravda reports that Russian operators, apparently
hacktivist auxiliaries, conducted an unsuccessful cyber attack against EQ, Ukraine's system for
managing border crossings by commercial trucks. The system is said to be functioning normally.
In other cyber attack news from the hybrid war, CERT-UA warns that the financially motivated Russian criminal group UAC-0006
is pushing smoke loader malware in a phishing campaign.
CERT-UA describes UAC-0006's track record and its customary aims,
saying that they aim to compromise accountants' PCs,
steal authentication data, and create unauthorized payments.
The phishing emails are staged from compromised accounts,
and they often misrepresent themselves as billing documents.
The payload is carried in an attached zip file.
So shields up, and be careful where you click.
Careful where you click.
Coming up after the break,
Thomas Etheridge from CrowdStrike has the latest threat landscape trends.
Our guest is Dan Amiga of Island
with insights on the enterprise browser category.
Stay with us. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. emergence of a category of enterprise browsers, which promise to be customizable and more secure.
Dan Amiga is co-founder and CTO of Island, a provider of enterprise browsers,
and I caught up with him at the RSA conference for some details.
Well, I think the modality of the browser, everybody knows about it. And I have this saying,
which is my mother
and somebody that works at JP Morgan,
they use the same browser.
It doesn't make any sense.
There's two different sets of requirements.
And what we've done is we've built a browser
that plays really well with the enterprise.
So it interconnects to your networking layer.
It connects to your SaaS applications,
your identity provider,
your device posture controls.
So think about it as a platform
where we packed the security world,
the IT world,
but also the productivity world
into that operating system
that's called a browser.
And when you do that,
a lot of the things IT and security
has been doing for years
become somewhat obsolete.
Like, why would you need to have
a man-in-the-middle proxy
to filter out traffic
if you can have it done in the browser layer?
Why would you need to install another VPN tool
if you already have that VPN connectivity in the browser? Why would you have to install another VPN tool if you already have that VPN connectivity in the browser?
Why would you have to buy a password manager
if you have it built into the browser?
So we saw that by building it,
it brings a lot of simplicity,
but also new use cases like BYOD,
which is a big problem for organizations today.
Folks, they don't like having lots of tools
installed on their own computer.
So we see a lot of interesting use cases there
when you build a browser that's targeted for the enterprise.
And I think the last piece,
and we call this the length of the wire,
is that folks don't like to work on remote environments,
on VDI environments, et cetera.
So we had this enterprise browser idea,
I'd say a long, long, long time.
And what I saw is I saw a lot of folks
who used to work for me in my previous companies.
They were in their 20s.
And I was like, in 10 years,
that's the guys that are going to run the banks,
they're going to run healthcare,
they're going to run a lot of companies,
they're going to be the major workforce.
These guys don't like a lot of things
that are stopping them in the way of doing their work.
They don't like VDIs and VPNs and all of that stuff.
So when you build all of that stack
into something that's as easy to install as Zoom, it looks like Chrome, it just brings a lot of simplicity but also good user experience.
Work becomes faster, et cetera.
So help me understand here.
When we're talking about, for example, someone working from home, is the enterprise browser an opportunity to
separate the work life
from the personal life?
In other words,
use your personal browser
for your personal stuff
and your enterprise browser
for your work life?
Absolutely.
So you go on Facebook
or Instagram
or what have you,
your personal life
goes on whatever browser
you like, right?
But once you need to access
Salesforce or corporate resources, any business-related applications, Life goes on whatever browser you like, right? But once you need to access Salesforce
or corporate resources,
any business-related applications,
you're being enforced to use Island.
Now think about the alternative.
The alternative is you're being blocked
from doing work on your BYOD.
Or the alternative is you have to install a VPN,
VDI into an environment that's not an experience you like,
and it costs thousands of dollars for the organization.
Like a VDI session is about $1,000 to $2,000 a session.
So really that two modalities, you can have your own, whatever browser you want for your personal life,
and then the enterprise browser for your work life.
And coming kind of from the other side,
can the security team in the organization say,
you may only access this corporate stuff
through your enterprise browser?
Correct.
Usually it's being done in several ways,
but you can integrate, let's say,
with the organization identity provider
or with tools the organization have today and enforce that.
So think about, again, I like to use the Zoom metaphor.
Let's say you don't have Zoom on your computer.
I send you a Zoom invite, you click on that invite,
and if you don't have Zoom, you'll be prompted to download it,
and then the Zoom session launches.
The enterprise browser is the same, right?
So you're trying to log in to a business application
from a consumer cold browser,
from Chrome or Edge, Firefox, Safari, et cetera,
and you're being prompted to download Island
or it automatically launches if it was pre-installed,
and then you get all of the security and IT tools built in.
I would imagine, too, that there's a privacy component here
for the users to have that separation
between my personal browser and my work browser.
If I'm the enterprise,
I'm not interested in what the person's doing
in their free time and I don't want to log that.
I don't want to know.
So there's kind of a win there for both sides
to keep those two things separate
but still to cohabitate on a single device?
Privacy is a huge thing in this space. So we have hundreds of customers to date in Ireland,
and they range from hospitals or the healthcare industry to the hospitality industry,
financials, even tech companies here in the Valley, some pretty big names.
industry, financials, even tech companies here in the Valley,
some pretty big names.
And each one has different privacy requirements.
They're geographically distributed.
Some would want to audit more than the others, et cetera. And by having these two modalities of your personal browser
and your enterprise browser, you can really deliver that.
And a lot of organizations should not see
into your personal stuff.
Today, they're forced to.
They have to decrypt SSL,
their DLP tools are injecting themselves
into every app, et cetera.
We make it possible so the organization
doesn't see the data.
For the end user, we even added
some controls to reflect the
privacy level. So let's say you
go to a website and it's not
being monitored. It's a personal website
but you happen to use the
enterprise browser for it, you'll get a privacy
indication that says that data is not being
sent anywhere. Oh, interesting.
And also the enterprise
can set controls on anonymization,
anonymization of IPs, anonymization of data.
So you can definitely create some interesting privacy
improvements.
That's Dan Amiga from Ireland. And it is my pleasure to welcome back to the show Tom Etheridge.
He is the Chief Global Services Officer at CrowdStrike.
Great to have you here and to be face-to-face here at the RSA conference.
Nice to be here, Dave. Thanks
for having me. Yeah. So before we dig too deep into things, I'm interested in your general
feeling for this year's show here. First of all, I think the population is much bigger than I was
anticipating. Really great turnout, a lot of great activities in the demo and booth areas,
and really good client interactions. A lot of discussion about some of the topics I'm sure
we're going to touch on in this session. Yeah. Are you sensing anything from some of the economic
headwinds that we've been seeing here? I'm thinking both on the industry side, but then
clients, it's on the top of their minds as
well. Certainly, we see a lot of activity around consolidation of agents running on endpoints.
It's certainly a topic we talk to customers and prospects about. How do I achieve some economies
of scale and savings by reducing the number of agents that are running on my endpoint,
yet provide the same kind of capabilities and detection and prevention
and monitoring enhancements that I'm looking for from a product or a platform.
We've seen a lot of folks shift from point solutions to suites to now platform plays.
So a lot of folks looking to consolidate and save money
by moving towards
platforms that deliver more extensible capabilities. Can we touch on some of the threats that you and
your colleagues at CrowdStrike are tracking these days? What are the big ones that you have your eye
on? So Dave, in our global threat report, we talk about the increase that we've seen year over year
with e-crime, about a 20% increase.
Breakout time, which is a measurement that we use to assess from the time a threat actor gains initial access in an environment to the time they move laterally.
We're seeing that still under two hours, so about 84 minutes.
The speed at which threat actors are moving is quite aggressive.
The speed at which threat actors are moving is quite aggressive.
And on the e-crime side, we've seen a shift towards not so much removing or not deploying ransomware.
We're seeing threat actors gain access to an environment, seek to exfil data that's sensitive or important to the victim. And then instead of deploying ransomware, come back with an extortion
payment for leaking that data on an open forum. So moving from pure ransomware deployment to
data extortion as a means to monetize their operations.
Can we talk about the global big picture? Obviously, we have the invasion of Ukraine by Russia and the cyber aspects of that as one of the global operators.
You know, you all have a hand in the defense of the Western world.
What's your take on where we stand with that?
I think most people feel as though Russia is really underperformed here.
What are you all tracking?
Most people feel as though Russia's really underperformed here.
What are you all tracking? Well, what we saw was during the initial campaigns, we saw the combination of both cyber-related activities and threat actors from the Russian organizations targeting Ukraine,
destructive attacks and misinformation types of attacks to kind of change, you know,
change what the strategy and perceptions were about the initial campaign.
Things have obviously slowed a little bit in terms of most of the kinetic warfare continues.
But we think that in the springtime, when, you know, the rainy season, muddy season ends,
we do expect that there might be some resurgence of both cyber-related attack activity
as well as the continued kinetic activity.
How do you think this informs the rest of the players around the world
in terms of potential future conflicts and the role that cyber plays?
Well, I think this is not a secret. I think most
organizations and countries are very concerned about the impact that cyber plays in providing
a low-cost means to do destructive harm to organizations that they might be targeting
from a military perspective. It's certainly proven to be effective here with Russia
and what they've been doing with Ukraine. Yeah. You know, looking forward towards the rest of
this year and beyond, where do you suppose we're headed? And what are the trends that you all are
tracking? Or is there any sense that we're gaining ground here? Well, there's a few things that I
think are important to bring up. And there's certainly themes here from the RSA event. We've heard a lot of talk about artificial intelligence and technologies like chat GBT.
Very important, really great engineering effort to pull together technologies like that to help improve automation,
improve the scale at which hunting and response-related activities can be performed.
which hunting and response-related activities can be performed.
Make no mistake, it's not a panacea for good old-fashioned human hunting and human response-related activities.
We're monitoring the good use cases that we see with tools like ChatGBT,
but equally we're concerned about the use cases for doing evil with those types of toolings.
Yeah. All right. Well, Thomas Etheridge, thanks so much for joining us.
Thank you, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default-deny approach can keep your company safe and compliant. Thank you. email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information
and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at
n2k.com. Back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.