CyberWire Daily - Taking down the storm.
Episode Date: December 14, 2023Microsoft takes down the Storm-1152 cybercrime operation. “GambleForce” is a newly discovered threat actor. The SVR exploits a JetBrains TeamCity vulnerability. US Postal Service impersonation. ...Malicious ads associated with Zoom. An update on the cyberattack against Kyivstar. Apache issues a Struts 2 security advisory. The FCC adopts new data breach rules. In our latest Threat Vector segment, David Moulton and Palo Alto Networks Madeline Sedgwick discuss the skills and methods necessary for understanding threat actor intent and behaviors. And the State Department's Global Engagement Center is under fire. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On the Threat Vector segment with Palo Alto Networks Unit 42’s David Moulton, hear about decoding cyber adversaries. David discusses unveiling intent and behavior in the world of threat hunting with Madeline Sedgwick. Selected Reading Microsoft disrupts cybercrime operation selling fraudulent accounts to notorious hacking gang (TechCrunch+) New hacker group GambleForce targets government and gambling sites in Asia Pacific using SQL injections (Group-IB) Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (Joint Advisory) Malvertisers zoom in on cryptocurrencies and initial access (MalwareBytes) Russian hacker group claims responsibility for Kyivstar cyberattack (The Kyiv Independent) New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now (The Hacker News) FCC Adopts Updates to Data Breach Rules, Sets Up Privacy Battle (Bloomberg Law) State Dept.’s Fight Against Disinformation Comes Under Attack (The New York Times) Threat Vector. In this Threat Vector segment, David Moulton and Palo Alto Networks Madeline Sedgwick discuss the skills and methods necessary for understanding threat actor intent and behaviors. Madeline, a Senior Cyber Research Engineer and Threat Analyst for the Cortex Xpanse team at Palo Alto Networks, shares insights into how analyzing adversary behavior helps in anticipating threats and avoiding guesswork. They discuss the value of understanding both system dynamics and human behavior in cybersecurity, emphasizing that cyber adversaries are limited by the same laws of internet physics. Please share your thoughts with us for future Threat Vector segments by taking our brief survey. To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin. Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft takes down the Storm 1152 cybercrime operation.
Gamble Force is a newly discovered threat actor.
The SVR exploits a JetBrains TeamCity vulnerability.
U.S. Postal Service impersonation.
Malicious ads associated with Zoom.
An update on the cyber attack against Keavstar.
Apache issues a Struts 2 security advisory.
The FCC adopts new data breach rules.
In our latest Threat Vector segment,
David Moulton and Palo Alto Network's Madeline Sedgwick
discuss the skills and methods necessary for understanding threat actor intent and behaviors.
And the State Department's Global Engagement Center is under fire.
is under fire. It's Thursday, December 14th, 2023. I'm Dave Bittner, and this is your CyberWire Microsoft has dismantled the infrastructure of Storm 1152, a cybercrime operation that sold fraudulent Outlook accounts to other hackers,
including the Scattered Spider gang.
Storm 1152, a significant player in the cybercrime-as-a-service ecosystem,
created about 750 million fake Microsoft accounts
through its service HotMailbox.me,
generating millions in illicit revenue
and causing extensive damage to Microsoft.
This group was labeled as the leading creator
and seller of fraudulent Microsoft accounts.
Storm 1152's modus operandi involved using bots to deceive Microsoft security systems, creating fake Outlook email accounts, and then selling them to cybercriminals.
They also offered CAPTCHA solver services, aiding fraudsters in bypassing CAPTCHA systems and exploiting
Microsoft and other online environments. Microsoft's investigation revealed that groups like Scattered
Spider, involved in major ransomware attacks and data breaches, including against Okta customers
and MGM resorts, utilize Storm 1152's services. These attacks caused disruptions and damages running
into hundreds of millions of dollars. On December 7th, Microsoft obtained a court order to seize
Storm 1152's U.S.-based infrastructure and domains, including HotMailbox.me and the associated CAPTCHA
services. The company also identified the individuals behind
this operation, all based in Vietnam. Microsoft's digital crimes unit, led by April Hogan-Burney,
headed up the effort, assisted by Arcos Labs, who've been tracking Storm 1152 since August of
2021. Arcos Labs CEO Kevin Goschok noted Storm 1152's uniqueness
in operating openly on the internet,
offering training and customer support for its tools.
Security firm Group IB announced this morning
its discovery of Gambleforce,
which it describes as a new threat actor
working against targets in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand, and Brazil.
The group's name derives from its initial attention to the gambling sector,
but Gambleforce quickly branched out to government, retail, and travel websites.
Job-seeking sites also figured among the targets.
Job-seeking sites also figured among the targets.
Group IB states,
In almost all known attacks, Gamble Force abused public-facing applications of victims by exploiting SQL injections.
Among the attack software the group used were publicly available open-source tools.
Gamble Force seems to have been indiscriminate in its theft of accessible data,
but the researchers haven't been able to determine what the threat group is doing with that data.
Group IB says it's taken down Gamble Force's command and control server and notified the victims it's been able to identify. CISA, NSA, SKW, CERT Polska, and the UK's NCSC have jointly warned that Russia's SVR is exploiting a vulnerability in JetBrains' TeamCity software.
TeamCity is critical for software development processes like building and testing.
The SVR's successful exploitation of this vulnerability could give them access to source code, signing
certificates and software deployment processes, posing a significant software supply chain
threat.
This operation mirrors the SVR's past tactics, including the notorious 2020 SolarWinds breach.
While the current exploitation hasn't had as widespread an impact, the SVR has used it to escalate privileges,
move laterally, deploy back doors, and ensure long-term network access. Their targets are
selected based on vulnerability exposure. The advisory details the SVR's cyber attack techniques,
indicators of compromise, and recommended mitigations. It also reviews the SVR's history of cyber operations since 2013,
highlighting their focus on gathering foreign intelligence
and targeting technology companies for future operations.
Fortinet researchers provide insights into the SVR's methods,
including the use of graphical proton malware for persistence,
a tool previously linked to other SVR activities. Researchers at Uptix are tracking a smishing campaign that's impersonating
the U.S. Postal Service in order to steal victims' personal and financial information.
The text messages inform recipients that a USPS delivery requires their attention
and directs them to click on a link in order to resolve the issue.
The link leads to a fake U.S. Postal Service website
that asks the user to enter their name, address, and billing information.
The researchers have tied this campaign to over a thousand active phishing sites.
Uptix believes the scammers are based in China and are targeting users around
the world. Researchers at Malwarebytes are tracking an increase in malvertising themed
around Zoom, noting that these campaigns are likely targeting victims who are into cryptocurrencies
as well as corporate users in order to gain access to company networks. One of the campaigns is
delivering a new loader dubbed Hiroshima Nukes that delivers information-stealing malware.
The researchers add, threat actors have been alternating between different keywords for
software downloads such as Advanced IP Scanner or WinSCP, normally geared towards IT administrators.
Ukraine's SBU has attributed the recent attack on Kivstar, Ukraine's major mobile and internet
service provider, to a Russian pseudo-hacker group working for the GRU, giving Russia plausible
deniability. The group, so Incipek, claimed on Telegram that they targeted Kivstar for supporting Ukraine's military and government agencies.
They exaggeratedly claimed to have destroyed thousands of computers, servers, and all cloud storage and backup systems of Kivstar.
Although the extent was overstated, the disruption was significant.
Although the extent was overstated, the disruption was significant.
Another group, Killnet, initially claimed responsibility, but analysts from Mandiant dismissed this as unlikely,
viewing it as an opportunistic claim lacking credibility.
The cyberattack began Tuesday morning,
with Kevstar gradually restoring services,
starting with landline voice services,
although full recovery is expected to take some
time. So, Intuspec has been linked to the GRU's sandworm activities. Apache has issued a security
advisory for a critical flaw in the Struts2 web application framework, which could lead to remote
code execution. This vulnerability, discovered by Stephen Seeley of SourceInsight, stems from defective
file upload logic, allowing unauthorized path traversal and the potential uploading of malicious
files to execute arbitrary code.
Struts, a Java framework for building web applications, has released patches for the
affected versions.
Developers are strongly urged
to update as there are no alternative workarounds. Although no real-world malicious exploits have
been reported yet, a past security flaw in Struts was used in the 2017 Equifax breach.
Recent updates indicate that the threat actors are now attempting to exploit this vulnerability
with reports of active exploitation to install web shells and establish network footholds.
The Federal Communications Commission has adopted new data breach rules,
expanding the definition of a breach to include inadvertent access or disclosure of customer information.
The updated rules also extend to all customers' personally
identifiable information held by carriers and telecommunications relay services. FCC Chair
Jessica Rosenworcel emphasized the need for these rules to ensure customer information safety and
cybersecurity. The decision, passed with a 3-2 vote, is likely to face opposition from Senate
Republicans, particularly Senator Ted Cruz, who previously criticized the proposed changes.
The two Republican commissioners voted against the order, expressing concerns about potential
conflicts with congressional limits on agency powers. The new rule mandates carriers and providers to notify
the FCC, FBI, and Secret Service within seven days of a breach affecting 500 or more customers.
For breaches involving fewer than 500 customers and deemed non-harmful, carriers can report
annually. This change aligns with the FCC's increased focus on privacy under Rosenworcel,
including the formation of a Privacy and Data Protection Task Force. The FCC's move is part
of a broader trend of enhanced federal data breach reporting requirements, alongside recent updates
by the Federal Trade Commission and new SEC breach notification rules set to take effect soon.
Coming up after the break, David Moulton from Palo Alto Networks speaks with Madeline Sedgwick.
They discuss the skills and methods necessary for understanding threat actor intent and behaviors.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io. in the Navy. I didn't end up being a pilot, obviously. There was not a lot of belief that
I was going to do very well in the military, mostly because I had done four years at a very
art-centric environment. Welcome to Threat Vector, a segment where Unit 42 shares unique
threat intelligence insights, new threat actor
TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts,
incident responders, and proactive security consultants dedicated to safeguarding our
digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. In today's episode, I'm going to speak with Madeline Sedgwick about the
types of skills and methods needed to understand threat actor intent and behaviors as part of
threat hunting and how that helps with threat deterrence. Madeline is a senior cyber research engineer and threat analyst for the
Cortex Expanse team at Palo Alto Networks. She's held roles in the Navy, the DOD, the Marine Corps,
along with several private sector jobs. Madeline, where are you recording from today?
Jacksonville, Florida.
I remember the last time I was in Jacksonville.
It's beautiful.
Oh, it is.
Home of the Jacksonville Jaguars.
So before the show, we were talking a little bit about the different types of skills that you're looking for when you're building a team.
And I thought that was really fascinating.
Talk to me about what types of people you're looking for when you're putting together a team.
Cybersecurity is not just about understanding how networks work and how computers process information.
It's also about understanding behavior.
Why an adversary does what an adversary does and what are the motivations behind that adversary's activity.
If I can anticipate how the world's changing and how the geopolitical landscape is changing,
then I can anticipate also
potential threats on the horizon that I need to be aware of. I think there's a misconception
that the higher educated, the more certifications you have as a potential cybersecurity analyst,
the better you're going to be at the job. I would take the person who has the understanding of systems,
who can break down a system, identify what makes a system work, what doesn't make a system work,
and then also be able to pivot that understanding of a system to how human beings work.
So Madeline, tell our listeners your thoughts on how analyzing a threat actor's behavior and intent
help threat hunters avoid guesswork. So if you look at adversary behavior, you don't have to guess what infrastructure is vulnerable.
I know that if I have a public-facing device, it can be exploited by an adversary using an exploit.
What does that exploit use? Is it a GET request, an HTTP GET request? Is it something that gets
thrown at my network to make that device do something?
All of these things can contribute to identifying the behavior behind an actor that's not necessarily tied to specific vulnerabilities.
Because that's how we kind of pigeonhole ourselves into thinking, if I protect from the vulnerability, I'll protect my network, which is not the case.
What are some of the most helpful resources that you've found to help understand threat actor
behavior and intent? Sure. So I, day in to day out, employ a number of different capabilities.
I come from an intelligence background and we don't like to rely on one data source.
Twitter is a great one-stop shop for people trying to get out information as quickly as possible.
There's very talented cybersecurity analysts who get into the weeds and are subject matter experts where I'm not a subject matter expert on a particular actor and certain tactics those actors use.
And then a combination of data sources.
So packet capture data and then open source information.
We like to combine as many different perspectives as possible so that we can get true insight
when identifying threat activity.
What's the one thing that you should remember from this conversation?
Cyber adversaries are human beings.
That's why they make mistakes.
Being a computer hacker, being a threat actor
doesn't give you superpowers, doesn't give you like matrix level neo-insight into the internet.
They're limited to the same, what I call like the laws of internet physics, right? If I can
anticipate why an adversary does what an adversary does and what are the motivations behind that
adversary's activity, then I can anticipate potential threats on the horizon that I need to be aware of.
Madeline, thanks for joining me today on Threat Vector.
We'll be back on the Cyber Wire Daily in two weeks.
Until then, stay secure, stay vigilant.
Goodbye for now.
That's Palo Alto Network's David Moulton
and Madeline Sedgwick. Thank you. a partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And finally, the State Department's Global Engagement Center,
tasked with countering propaganda from terrorists and hostile nations,
is under fire,
the New York Times reports. Accusations in court and Congress allege the GEC has helped social media platforms like Facebook, YouTube, and ex-Twitter censor Americans breaching the First
Amendment. Texas Attorney General Ken Paxton and two conservative news outlets have sued,
claiming GEC's actions are severe censorship. The GEC, founded in 2011 with a $61 million budget
and 125 staff members, counters foreign disinformation, especially from Russia and
China. It's now facing existential threats, including potential disbandment if its mandate
expiring next year isn't renewed. James P. Rubin, the GEC's coordinator, denies the censorship
allegations, emphasizing their focus on foreign disinformation. The controversy is part of a
broader debate on free speech and disinformation reaching the Supreme Court. The GEC's interactions
with social media companies have been scrutinized, but there's been no evidence of coercion or
influence. Despite this, the House Republicans have challenged the GEC's mandate renewal.
The lawsuit from Texas claims the GEC indirectly censors through grants to organizations identifying disinformation.
The Federalist and the Daily Wire, involved in the lawsuit, were tagged as high risk for
disinformation by a GEC-funded project. The debate continues over whether fighting disinformation
is a form of censorship, with political effectiveness outweighing evidence.
In the world of tech and
politics, it looks like the Global Engagement Center may be playing a high-stakes game of
whack-a-mole, only this time it's not just propaganda they're dodging, but lawsuits and
legislative curveballs. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Cyber Wire listeners, as we near the end of the year,
it's the perfect time to reflect on your company's achievements
and set new goals to boost your brand across the industry.
We'd love to help you achieve those goals.
We've got some unique end-of-year opportunities
complete with special incentives to launch 2024,
so tell your marketing team to reach out.
Send us a message at sales at thecyberwire.com
or visit our website so we can connect
about building a program to meet your goals.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the
world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin. Our mixer is Trey Hester with original
music by Elliot Peltzman. Our executive producers are Jennifer Ivan and Brandon Karp. Our executive
editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your