CyberWire Daily - Supply-chain attack's effects spread. CISA makes new KEV entries. Bumblebee malware loader describes. Decoy Dog toolset discovered. Discord Papers were shared earlier and more widely.
Episode Date: April 24, 20233CX is not the only victim in the recent supply chain attack. The PaperCut critical vulnerability is under active exploitation. The Bumblebee malware loader is buzzing around in the wild. A new unique... malware toolkit called Decoy Dog. Rick Howard, CSO from N2K Networks, shares RSA Conference predictions and talks about his new book, "Cybersecurity First Principles." Our guest Theresa Lanowitz from AT&T Cybersecurity shares insights on Securing the Edge. And the alleged Discord Papers leaker shared earlier and more widely than previously known. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/78 Selected reading. 3CX Hackers Also Compromised Critical Infrastructure Firms (Infosecurity Magazine) That 3CX supply chain attack keeps getting worse (Register) Energy sector orgs in US, Europe hit by same supply chain attack as 3CX (Record) Even more victims found in complex 3CX supply chain attack (CybersecurityConnect) X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe (Symantec Enterprise Blogs) URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) (PaperCut) PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise (Horizon3.ai) Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers (The Hacker News) CISA KEV Breakdown | April 21, 2023 (Nucleus Security) CISA Adds Three Known Exploited Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA) CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug (The Hacker News) CISA adds printer bug, Chrome zero-day and ChatGPT issue to exploited vulnerabilities catalog (Record) Bumblebee Malware Distributed Via Trojanized Installer Downloads (Secureworks). Google ads push BumbleBee malware used by ransomware gangs (BleepingComputer) Bumblebee malware infects victims via fake Zoom, Cisco and ChatGPT software installers (Record) Decoy Dog malware toolkit found after analyzing 70 billion DNS queries (BleepingComputer) Analyzing DNS Traffic for Anomalous Domains and Threat Detection (Infoblox Blog) Airman Shared Sensitive Intelligence More Widely and for Longer Than Previously Known (New York Times) FBI leak investigators home in on members of private Discord server (Washington Post) From Discord to 4chan: The Improbable Journey of a US Intelligence Leak (bellingcat) Europe’s Planes Keep Flying Despite Cyberattack (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
3CX is not the only victim in the recent supply chain attack.
The paper cut critical vulnerability is under active exploitation.
The Bumblebee malware loader is buzzing around in the wild.
A new unique malware toolkit called Decoy Dog.
Our guest, Teresa Lanowitz from AT&T Cybersecurity, shares insights on securing the edge.
And the alleged Discord papers leaker shared earlier and more widely than previously known.
From the RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Monday, April 24th, 2023.
The supply chain attack that affected 3CX didn't end at the telecommunications company. The trojanized XTrader software,
which led to the 3CX attack, was available for download in 2022, and it seems to have
been downloaded by at least two critical infrastructure organizations. Symantec
reported Friday that the XTrader software supply chain attack affected more organizations than 3CX. Initial investigations
by Symantec's Threat Hunter team has, to date, found that among the victims are two critical
infrastructure organizations in the energy sector, one in the U.S. and the other in Europe.
Symantec adds, the process for payload installation is almost identical as that seen with the trojanized 3CX app.
Given the nature of the initially infected software, it seems that this could be a
financially motivated attack. XTrader is a financial trading program. Symantec explained
that there are probably more victims as this breach is indicative of a complex and
successful template for software supply chain attack.
On Friday, CISA added three vulnerabilities to its known exploited vulnerabilities catalog.
PaperCut MFNG improper access control vulnerability,
MinIO information disclosure vulnerability, and Google Chrome Skia integer overflow vulnerability.
and Google Chrome Skia Integer Overflow vulnerability.
Papercut blogged details of a critical vulnerability,
a 9.8 out of 10 CVSS score, affecting servers running the software.
The company explained, The Papercut application is popular with the state, local, and education-type organizations
where just education makes up 450 of those results.
Papercut released a security patch on the 8th of March, 2023,
to address this vulnerability and updated its patch bulletin today,
advising its users to urgently update their servers with the most recent patch,
as they believe some servers are actively being exploited.
Papercut also said,
If you suspect that your server has been compromised,
we recommend taking server backups,
then wiping the application server
and rebuilding the application server
and restoring the database from a safe backup point
prior to when you discovered any suspicious behavior.
Experts continue to recommend that users should update their software
in accordance with developer recommendations, as this would lessen your organization's exposure to fixed vulnerabilities.
Google released a statement which listed CVE-2023-2136 as one of the eight vulnerabilities
it patched on the 18th of April. It added, Google is aware that an exploit for CVE-2023-2136 exists in the wild.
Mini.io posted that all users of distributed deployment are impacted.
All users are advised to upgrade as soon as possible.
Bleeping Computer reports that the Bumblebee malware loader, originally developed by the Conti gang, has been observed in use once again.
The loader is distributed through fake Google Ads for legitimate companies such as Zoom, Citrix, and ChatGPT.
The original malware was observed in April of last year, with stealth updates seen in September.
in September. SecureWorks reports finding a fake Cisco AnyConnect Secure Mobility client version 4.0 Google ad, which would send the user to a compromised WordPress site to download the
client. If the user downloaded the fake client, they'd end up with the Bumblebee malware on their
device. SecureWorks advises utilizing the legitimate sites of these clients in order to
download and update them.
The record notes the Google Threat Analysis Group's discovery of the Bumblebee loader in 2021
with links to a range of threat actors.
Infoblox explained that scanning some 70 billion IP addresses daily
has led to its discovery of a new malware toolkit, DecoyDog. Infoblox says,
the domains we describe are all related to a single toolkit we call DecoyDog,
which is identified using a DNS fingerprint matching 0.000027% of domains currently active
in the world. Infoblox adds, When we analyzed the queries in external global DNS data, the C2 communication originated almost
exclusively from hosts in Russia. Because global DNS traffic is polluted with retransmitted queries
from multiple sources, and because at least one of the C2 servers was located in Russia,
we cannot assume that this was authentic communication from a
compromised host. One of Decoy Dog's tools is a remote-access Trojan puppy rat. Infoblock describes
this as a dangerous and powerful rat due to its fileless nature and slow encrypted C2 communications.
It is hard to detect by EDR solutions and can stay hidden for a long time in an afflicted network.
Puppy is one of the few rats that offers broad multi-platform capabilities,
uses an old version of Python, and therefore is able to infect a majority of Linux and mobile devices.
This unusual feature makes DecoyDog easy to identify.
Infoblox says it hasn't yet discovered the purpose of Decoy Dog
and that it plans to release more findings as they become available,
stating,
In writing this paper, we have found that the mysteries surrounding Decoy Dog
and its presence in our networks are complex and unresolved.
We expect to release further reporting as we are able to explain the activity.
The New York Times reports that it's found signs that airman Jack Teixeira,
who faces U.S. federal charges in the Discord Papers case,
began sharing highly classified intelligence about Russia's war against Ukraine
earlier than had previously been reported,
and that he appears to have done so in a second Discord channel
that was larger than the Thug Shakers central group he's been associated with.
The Times writes,
In February 2022, soon after the invasion of Ukraine,
a user profile matching that of airman Jack Teixeira
began posting secret intelligence on the Russian war effort
on a previously undisclosed
chat group on Discord, a social media platform popular among gamers. The chat group contained
about 600 members. The Times also reports that the airman also direct messaged foreign members
of the group, offering to tell them more about the information he had available.
DM me and I can tell you what I have, he's alleged to have said.
The evidence connecting Airman Teixeira with the recently discovered Discord group
is circumstantial but suggestive.
Neither his defense attorney nor the FBI in the U.S. State Department
were willing to comment to The Times on its story.
And finally, in one of the sidelights of Russia's hybrid war, the effects of the cyber
attack against Eurocontrol, the European air traffic control organization, continued into
the weekend. The disruptions claimed by Russia's Kilnet did not disrupt flight operations, the
Wall Street Journal reports, but Kilnet continues to crow large over the nuisance value of its attack.
Coming up after the break, our guest Teresa Lanowitz from AT&T Cybersecurity
shares insights on securing the edge. Plus, my conversation with Rick Howard about his new book
and his book signing here
at the RSA conference.
Stay with us.
Do you know the status
of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
AT&T Cybersecurity recently published their Cybersecurity Insights Report,
Edge Ecosystem, which shows DDoS attacks on the edge as the most likely perceived threat for
primary use cases. For insights on the report's findings, I spoke with Teresa Lanowitz, head of
cybersecurity evangelism at AT&T Business. This year, we're focusing on edge ecosystem.
And the premise of this is security is getting to be really, really difficult because
of the complexity, but security is really an integral part of everything that is happening
with these new edge types of deployments that we're seeing. So we took a look at that and said,
well, what types of problems are people facing? They need to make sure that they're securing
everything from the transport infrastructure to endpoints, to the operating system, to the data that they're either storing or that they are
using. And they also need to make sure that they're securing those application workloads as
well as that application in production while it's actually being used. Everything from putting it
into production
to managing it, monitoring it during runtime, and then retiring that application.
So taking a look at how security plays into that whole stack was really our key goal.
Just in terms of definitions here, I mean, how do you and your colleagues there at AT&T
Cybersecurity define edge computing? Yeah, edge is really an interesting one. If you talk to
10 different people, we will probably get 11 different answers on what edge actually is.
And I've mentioned the word edge a couple of times. And when you talk to a vendor,
the definition of edge tends to skew to the tech stack that they're selling. If you talk to a
client of any particular vendor, or if you talk to a client of any particular vendor,
or if you talk to a client who's out there
building some type of edge application, edge environment,
it tends to skew again to the tech stack that they're using.
And we noticed this when we were doing the research.
We noticed this starting really in 2022,
where people were saying,
well, you've said the word edge, what do you really mean?
You have the network edge, you have the cloud edge, you have the device edge, you have the tel the word edge. What do you really mean? You have the network edge. You have the cloud edge.
You have the device edge.
You have the telco edge.
So what do you really mean by edge?
And what we were able to come up with is there are really three key characteristics that
edge really includes.
So the first characteristic is it's a distributed model of management, intelligence, and networks.
The second key characteristic is that the
applications, the workloads, the hosting, it's closer to where that data is being created and
consumed. And the third characteristic is that it's software defined, and that could be on-prem
or in the cloud. And when people hear those primary characteristics, they suddenly say,
ah, okay, I start to get it.
And what I always do is when I'm speaking with somebody, I say, you know, we probably all use these edge type of applications and not really even known it.
And the one that I like to use quite frequently as an example is a public parking structure.
You go into a public parking structure and they have the board.
a public parking structure. You go into a public parking structure and they have the board,
you know, you go to the first floor and they have the board saying there are 200 spaces on this floor, but there are only two available. And you think to yourself, am I really going to drive
through this first floor of the parking lot to find one of those two spaces or will I go up a
level? So you go up a level and it says, you know, there are 200 spaces and there are 150 open. And it's pretty easy choice.
But when you think about what it does in that parking structure, it eliminates that traffic
just driving through that parking lot, looking for an open parking space and so on. So it's that
experience that you're going into that parking garage, you're getting that better experience.
And that data is being delivered into your real time. So that's a big part of what
edge is. And we really look at those three characteristics and say, those are the three
primary characteristics in making up an edge environment. And we've seen the use cases that
people are exploring around edge just continue to expand between 2022 and 2023.
Well, let's dig into some of the report's findings then. What are some of the things
that caught your eye? Yeah, so I think if you take a look at the report, one of the things we know
is that 58% of the survey respondents said that they are either in a proof of concept phase,
or they are in full implementation or partial implementation of an edge use case.
So what that tells us is things are happening very fast.
Things are changing very, very quickly.
And security is becoming a big part of everything that happens.
And we saw this movement to security really being an integral part of everything that's going on inside of the organization.
We saw that really accelerate with the pandemic.
In 2020, we really saw that security moved from being a technical issue to a few really smart people being able to figure things out to really being a business enabler.
So security is now this business enabler and it's part and
parcel of everything the business is doing. And one of the things we learned last year is that
the line of business organizations we talked to, they said, you know what, we are moving to the
edge because we think it's going to deliver better business outcomes. It's going to give
us a competitive advantage. But what they also said is we are not going to move to the edge
unless we are in lockstep with our security team. So security is now central to what organizations
are doing. And across the board, what we found this year was that there's this proactive investment
in security, which is really a positive, positive thing. If you think
back five, six years ago, security was in many cases an afterthought or organizations would say,
I'm not really going to proactively invest in security. I'll wait until I have to.
So we have that proactive investment in security. What we also found is that because of the
complexity of what organizations are undertaking with the edge, we also found is that because of the complexity of what organizations are
undertaking with the edge, we also found that this partner ecosystem was really critical.
Security is not a do-it-yourself operation any longer. It is, let's bring in trusted advisors
to help us. Let's work with the likes of consulting organizations, managed security
services organizations, global systems integrators,
telcos, let's work with someone who has done this before because the stakes are really too high.
And then the third thing is we found that organizations, they really want to make sure
that they are building resilience into what they're doing. They want to make sure that
what they're doing is they're able to future-proof those edge types of
use cases that they're building out, those edge types of applications. They want to make sure
that it's ready to move forward. So those are kind of the top three things, the proactive investment,
a good, strong partner ecosystem, and building resilience.
That's Teresa Lanowitz, Head of Cyber cybersecurity evangelism at AT&T Business.
And it is always my pleasure to welcome to the show Rick Howard.
He is the CyberWire's chief Security Officer and also our Chief Analyst.
Rick, it is great to see you.
Hey, David. It's good to see you in person because usually we're doing this through a Zoom call somewhere.
I know, right?
This is great.
Well, and it's great to be here in San Francisco, as we like to say, the city by the other bay,
being near Baltimore natives ourselves, or some of us anyway.
So it is the Monday of RSA. This is the first day of this busy week here. Kind of a preview day,
I guess. I mean, the show floor will be open for a couple hours, a couple hours from now.
I'm curious, you know, when that show floor opens, besides the booze that are giving away free beer,
where are you going to run first? What are you most interested in taking in this year?
Well, first, I love coming to San Francisco. It's my favorite city of all the big cities, because it doesn't feel like New York City or Chicago or some of those big ones. It's spread
out over this beautiful area. And when we come to RSA, it's like spring here.
And it feels like, and I've been doing this for years,
but it feels like a high school reunion.
All your friends, all right, who are in the industry
show up here every year, or most of them do.
And I just look forward to it a lot.
As to the show, I'm not looking for anything specific
in advance, but there are some things I'm trying to get a handle on while we're here this week.
I'm interested in updates of, you know, I'm a big fan of SASE, Secure Access Service Edge.
And it was, you know, big hype a couple of years ago,
and now it's kind of on the trough of disillusionment, you know, on the Gartner hype cycle.
Right, right.
Now it's kind of on the trough of disillusionment,
you know, on the Gartner hype cycle.
Right, right.
But people are working on it,
and I'm trying to get a handle on what that's going to be in the next couple of years.
Also looking for anything involved with XDR,
which is basically using APIs
to connect all your security stack stuff.
And that's been around for years,
but it seems beginning momentum.
Yeah.
And I guess the
last thing I'm looking for updates on is anything around software-defined perimeter, meaning getting
away from logging into the actual secret sauce server that has all the really special stuff.
And you do all that identity and access management away from that workload and then decide if I'm
authorized to go there and then go there.
So that's been around for a while too, but I'm looking for updates for that.
One of the fun things I find every year at RSA Conference
is seeing what the unplanned theme of the show is.
I mean, the conference has their own theme, and that's great.
But then to see what all the vendors have hopped on the bandwagon about,
I think probably the most famous slash notorious one was a few years ago
when everybody was pitching AI.
AI was the thing, right?
Every booth had AI.
I'm curious what we're going to see it be this year.
Wondering if you have any predictions
as to what may be the hot topic among the vendors here.
Well, I'm with you that the hot topics kind of show up.
I think Zero Trust was one of them for the last couple of years.
But here's my hot take for the prediction.
I think everybody is going to be talking about chat GPT.
Not AI specifically, but chat GPT.
That seems to have caught the imagination
of every security practitioner that I've talked to in the last six months.
So I am with you on that, and I am intrigued by that.
What I'm really interested in finding out is how many vendors are going to say,
have something that basically says chat GPT enabled?
And how many are going to say, we can protect you from things that are chat GPT enabled?
Right?
It's right.
Well, now I'm going to have to get my bingo card out, okay,
and start keeping track of everything.
Right.
Because it's not clear cut with that, right?
No, not at all.
Not at all.
Okay.
But, yeah, but I'm sure that everybody will say
that they know how to plug in to ChatGPT to make your zero trust better or something like that.
It's a really great point that everyone's going to, at the very least, have an answer to that question.
What is your company?
How does your company deal with ChatGPT?
Everybody's going to have to answer that.
Yeah, exactly right.
Yeah.
Well, the other big news this week I know for you is you are doing a book signing at the RSA bookstore.
Give us the details on that.
Yeah, well, this is the culmination of a year-long effort.
I remember walking into our boss's office about a year ago right after RSA and said,
I think I've got enough for a book here, you know?
And he didn't throw me out of his office,
which I'm grateful for.
So we wrote the book and we're finally publishing it here
in conjunction with the RSA conference.
And I'm going to be signing copies of it at the bookstore.
That's at Moscone South on April 26th
at 3.30 p.m. PDT time.
So if you guys, anybody's in the area
and are fans of the Cyber Wire,
just come on by.
I would love to talk to you about our shows
and maybe even convince you to buy my book.
All right, fair enough.
Well, Rick Howard, always a pleasure to chat with you.
I hope we get to cross paths again this week.
It's just, I mean, I'm sure we will, but it's just that kind of week where you never know, right?
I know Dave's here in San Francisco, but I haven't seen him yet.
Yeah.
All right.
Thanks for joining us.
All right, buddy.
See you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is a production
of N2K Networks, proudly
produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies.
This episode was produced by Liz Urban
and senior producer Jennifer Ivan.
Our mixer is Trey Hester, with original
music by Elliot Peltzman.
Joe was written by John Petrick. Our executive editor isrey Hester, with original music by Elliot Peltzman. Joe was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.