CyberWire Daily - Taking down the storm.

Episode Date: December 14, 2023

Microsoft takes down the Storm-1152 cybercrime operation. “GambleForce” is a newly discovered threat actor.  The SVR exploits a JetBrains TeamCity vulnerability. US Postal Service impersonation. ...Malicious ads associated with Zoom. An update on the cyberattack against Kyivstar. Apache issues a Struts 2 security advisory. The FCC adopts new data breach rules.  In our latest Threat Vector segment, David Moulton and Palo Alto Networks Madeline Sedgwick discuss the skills and methods necessary for understanding threat actor intent and behaviors. And the State Department's Global Engagement Center is under fire. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On the Threat Vector segment with Palo Alto Networks Unit 42’s David Moulton, hear about decoding cyber adversaries. David discusses unveiling intent and behavior in the world of threat hunting with Madeline Sedgwick. Selected Reading Microsoft disrupts cybercrime operation selling fraudulent accounts to notorious hacking gang (TechCrunch+) New hacker group GambleForce targets government and gambling sites in Asia Pacific using SQL injections (Group-IB) Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (Joint Advisory) Malvertisers zoom in on cryptocurrencies and initial access (MalwareBytes) Russian hacker group claims responsibility for Kyivstar cyberattack (The Kyiv Independent)  New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now (The Hacker News) FCC Adopts Updates to Data Breach Rules, Sets Up Privacy Battle (Bloomberg Law) State Dept.’s Fight Against Disinformation Comes Under Attack (The New York Times) Threat Vector. In this Threat Vector segment, David Moulton and Palo Alto Networks Madeline Sedgwick discuss the skills and methods necessary for understanding threat actor intent and behaviors. Madeline, a Senior Cyber Research Engineer and Threat Analyst for the Cortex Xpanse team at Palo Alto Networks, shares insights into how analyzing adversary behavior helps in anticipating threats and avoiding guesswork. They discuss the value of understanding both system dynamics and human behavior in cybersecurity, emphasizing that cyber adversaries are limited by the same laws of internet physics. Please share your thoughts with us for future Threat Vector segments by taking our brief survey. To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin.  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Microsoft takes down the Storm 1152 cybercrime operation. Gamble Force is a newly discovered threat actor. The SVR exploits a JetBrains TeamCity vulnerability. U.S. Postal Service impersonation.
Starting point is 00:02:14 Malicious ads associated with Zoom. An update on the cyber attack against Keavstar. Apache issues a Struts 2 security advisory. The FCC adopts new data breach rules. In our latest Threat Vector segment, David Moulton and Palo Alto Network's Madeline Sedgwick discuss the skills and methods necessary for understanding threat actor intent and behaviors. And the State Department's Global Engagement Center is under fire.
Starting point is 00:03:13 is under fire. It's Thursday, December 14th, 2023. I'm Dave Bittner, and this is your CyberWire Microsoft has dismantled the infrastructure of Storm 1152, a cybercrime operation that sold fraudulent Outlook accounts to other hackers, including the Scattered Spider gang. Storm 1152, a significant player in the cybercrime-as-a-service ecosystem, created about 750 million fake Microsoft accounts through its service HotMailbox.me, generating millions in illicit revenue and causing extensive damage to Microsoft. This group was labeled as the leading creator
Starting point is 00:03:43 and seller of fraudulent Microsoft accounts. Storm 1152's modus operandi involved using bots to deceive Microsoft security systems, creating fake Outlook email accounts, and then selling them to cybercriminals. They also offered CAPTCHA solver services, aiding fraudsters in bypassing CAPTCHA systems and exploiting Microsoft and other online environments. Microsoft's investigation revealed that groups like Scattered Spider, involved in major ransomware attacks and data breaches, including against Okta customers and MGM resorts, utilize Storm 1152's services. These attacks caused disruptions and damages running into hundreds of millions of dollars. On December 7th, Microsoft obtained a court order to seize Storm 1152's U.S.-based infrastructure and domains, including HotMailbox.me and the associated CAPTCHA
Starting point is 00:04:42 services. The company also identified the individuals behind this operation, all based in Vietnam. Microsoft's digital crimes unit, led by April Hogan-Burney, headed up the effort, assisted by Arcos Labs, who've been tracking Storm 1152 since August of 2021. Arcos Labs CEO Kevin Goschok noted Storm 1152's uniqueness in operating openly on the internet, offering training and customer support for its tools. Security firm Group IB announced this morning its discovery of Gambleforce,
Starting point is 00:05:20 which it describes as a new threat actor working against targets in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand, and Brazil. The group's name derives from its initial attention to the gambling sector, but Gambleforce quickly branched out to government, retail, and travel websites. Job-seeking sites also figured among the targets. Job-seeking sites also figured among the targets. Group IB states, In almost all known attacks, Gamble Force abused public-facing applications of victims by exploiting SQL injections.
Starting point is 00:05:59 Among the attack software the group used were publicly available open-source tools. Gamble Force seems to have been indiscriminate in its theft of accessible data, but the researchers haven't been able to determine what the threat group is doing with that data. Group IB says it's taken down Gamble Force's command and control server and notified the victims it's been able to identify. CISA, NSA, SKW, CERT Polska, and the UK's NCSC have jointly warned that Russia's SVR is exploiting a vulnerability in JetBrains' TeamCity software. TeamCity is critical for software development processes like building and testing. The SVR's successful exploitation of this vulnerability could give them access to source code, signing certificates and software deployment processes, posing a significant software supply chain threat.
Starting point is 00:06:51 This operation mirrors the SVR's past tactics, including the notorious 2020 SolarWinds breach. While the current exploitation hasn't had as widespread an impact, the SVR has used it to escalate privileges, move laterally, deploy back doors, and ensure long-term network access. Their targets are selected based on vulnerability exposure. The advisory details the SVR's cyber attack techniques, indicators of compromise, and recommended mitigations. It also reviews the SVR's history of cyber operations since 2013, highlighting their focus on gathering foreign intelligence and targeting technology companies for future operations. Fortinet researchers provide insights into the SVR's methods,
Starting point is 00:07:41 including the use of graphical proton malware for persistence, a tool previously linked to other SVR activities. Researchers at Uptix are tracking a smishing campaign that's impersonating the U.S. Postal Service in order to steal victims' personal and financial information. The text messages inform recipients that a USPS delivery requires their attention and directs them to click on a link in order to resolve the issue. The link leads to a fake U.S. Postal Service website that asks the user to enter their name, address, and billing information. The researchers have tied this campaign to over a thousand active phishing sites.
Starting point is 00:08:22 Uptix believes the scammers are based in China and are targeting users around the world. Researchers at Malwarebytes are tracking an increase in malvertising themed around Zoom, noting that these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users in order to gain access to company networks. One of the campaigns is delivering a new loader dubbed Hiroshima Nukes that delivers information-stealing malware. The researchers add, threat actors have been alternating between different keywords for software downloads such as Advanced IP Scanner or WinSCP, normally geared towards IT administrators. Ukraine's SBU has attributed the recent attack on Kivstar, Ukraine's major mobile and internet
Starting point is 00:09:13 service provider, to a Russian pseudo-hacker group working for the GRU, giving Russia plausible deniability. The group, so Incipek, claimed on Telegram that they targeted Kivstar for supporting Ukraine's military and government agencies. They exaggeratedly claimed to have destroyed thousands of computers, servers, and all cloud storage and backup systems of Kivstar. Although the extent was overstated, the disruption was significant. Although the extent was overstated, the disruption was significant. Another group, Killnet, initially claimed responsibility, but analysts from Mandiant dismissed this as unlikely, viewing it as an opportunistic claim lacking credibility. The cyberattack began Tuesday morning,
Starting point is 00:09:57 with Kevstar gradually restoring services, starting with landline voice services, although full recovery is expected to take some time. So, Intuspec has been linked to the GRU's sandworm activities. Apache has issued a security advisory for a critical flaw in the Struts2 web application framework, which could lead to remote code execution. This vulnerability, discovered by Stephen Seeley of SourceInsight, stems from defective file upload logic, allowing unauthorized path traversal and the potential uploading of malicious files to execute arbitrary code.
Starting point is 00:10:37 Struts, a Java framework for building web applications, has released patches for the affected versions. Developers are strongly urged to update as there are no alternative workarounds. Although no real-world malicious exploits have been reported yet, a past security flaw in Struts was used in the 2017 Equifax breach. Recent updates indicate that the threat actors are now attempting to exploit this vulnerability with reports of active exploitation to install web shells and establish network footholds. The Federal Communications Commission has adopted new data breach rules,
Starting point is 00:11:16 expanding the definition of a breach to include inadvertent access or disclosure of customer information. The updated rules also extend to all customers' personally identifiable information held by carriers and telecommunications relay services. FCC Chair Jessica Rosenworcel emphasized the need for these rules to ensure customer information safety and cybersecurity. The decision, passed with a 3-2 vote, is likely to face opposition from Senate Republicans, particularly Senator Ted Cruz, who previously criticized the proposed changes. The two Republican commissioners voted against the order, expressing concerns about potential conflicts with congressional limits on agency powers. The new rule mandates carriers and providers to notify
Starting point is 00:12:06 the FCC, FBI, and Secret Service within seven days of a breach affecting 500 or more customers. For breaches involving fewer than 500 customers and deemed non-harmful, carriers can report annually. This change aligns with the FCC's increased focus on privacy under Rosenworcel, including the formation of a Privacy and Data Protection Task Force. The FCC's move is part of a broader trend of enhanced federal data breach reporting requirements, alongside recent updates by the Federal Trade Commission and new SEC breach notification rules set to take effect soon. Coming up after the break, David Moulton from Palo Alto Networks speaks with Madeline Sedgwick. They discuss the skills and methods necessary for understanding threat actor intent and behaviors.
Starting point is 00:13:04 Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
Starting point is 00:13:53 like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Starting point is 00:14:44 Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io. in the Navy. I didn't end up being a pilot, obviously. There was not a lot of belief that I was going to do very well in the military, mostly because I had done four years at a very art-centric environment. Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. In today's episode, I'm going to speak with Madeline Sedgwick about the types of skills and methods needed to understand threat actor intent and behaviors as part of
Starting point is 00:16:22 threat hunting and how that helps with threat deterrence. Madeline is a senior cyber research engineer and threat analyst for the Cortex Expanse team at Palo Alto Networks. She's held roles in the Navy, the DOD, the Marine Corps, along with several private sector jobs. Madeline, where are you recording from today? Jacksonville, Florida. I remember the last time I was in Jacksonville. It's beautiful. Oh, it is. Home of the Jacksonville Jaguars.
Starting point is 00:16:56 So before the show, we were talking a little bit about the different types of skills that you're looking for when you're building a team. And I thought that was really fascinating. Talk to me about what types of people you're looking for when you're putting together a team. Cybersecurity is not just about understanding how networks work and how computers process information. It's also about understanding behavior. Why an adversary does what an adversary does and what are the motivations behind that adversary's activity. If I can anticipate how the world's changing and how the geopolitical landscape is changing, then I can anticipate also
Starting point is 00:17:25 potential threats on the horizon that I need to be aware of. I think there's a misconception that the higher educated, the more certifications you have as a potential cybersecurity analyst, the better you're going to be at the job. I would take the person who has the understanding of systems, who can break down a system, identify what makes a system work, what doesn't make a system work, and then also be able to pivot that understanding of a system to how human beings work. So Madeline, tell our listeners your thoughts on how analyzing a threat actor's behavior and intent help threat hunters avoid guesswork. So if you look at adversary behavior, you don't have to guess what infrastructure is vulnerable. I know that if I have a public-facing device, it can be exploited by an adversary using an exploit.
Starting point is 00:18:15 What does that exploit use? Is it a GET request, an HTTP GET request? Is it something that gets thrown at my network to make that device do something? All of these things can contribute to identifying the behavior behind an actor that's not necessarily tied to specific vulnerabilities. Because that's how we kind of pigeonhole ourselves into thinking, if I protect from the vulnerability, I'll protect my network, which is not the case. What are some of the most helpful resources that you've found to help understand threat actor behavior and intent? Sure. So I, day in to day out, employ a number of different capabilities. I come from an intelligence background and we don't like to rely on one data source. Twitter is a great one-stop shop for people trying to get out information as quickly as possible.
Starting point is 00:19:06 There's very talented cybersecurity analysts who get into the weeds and are subject matter experts where I'm not a subject matter expert on a particular actor and certain tactics those actors use. And then a combination of data sources. So packet capture data and then open source information. We like to combine as many different perspectives as possible so that we can get true insight when identifying threat activity. What's the one thing that you should remember from this conversation? Cyber adversaries are human beings. That's why they make mistakes.
Starting point is 00:19:44 Being a computer hacker, being a threat actor doesn't give you superpowers, doesn't give you like matrix level neo-insight into the internet. They're limited to the same, what I call like the laws of internet physics, right? If I can anticipate why an adversary does what an adversary does and what are the motivations behind that adversary's activity, then I can anticipate potential threats on the horizon that I need to be aware of. Madeline, thanks for joining me today on Threat Vector. We'll be back on the Cyber Wire Daily in two weeks. Until then, stay secure, stay vigilant.
Starting point is 00:20:28 Goodbye for now. That's Palo Alto Network's David Moulton and Madeline Sedgwick. Thank you. a partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, the State Department's Global Engagement Center,
Starting point is 00:21:41 tasked with countering propaganda from terrorists and hostile nations, is under fire, the New York Times reports. Accusations in court and Congress allege the GEC has helped social media platforms like Facebook, YouTube, and ex-Twitter censor Americans breaching the First Amendment. Texas Attorney General Ken Paxton and two conservative news outlets have sued, claiming GEC's actions are severe censorship. The GEC, founded in 2011 with a $61 million budget and 125 staff members, counters foreign disinformation, especially from Russia and China. It's now facing existential threats, including potential disbandment if its mandate expiring next year isn't renewed. James P. Rubin, the GEC's coordinator, denies the censorship
Starting point is 00:22:34 allegations, emphasizing their focus on foreign disinformation. The controversy is part of a broader debate on free speech and disinformation reaching the Supreme Court. The GEC's interactions with social media companies have been scrutinized, but there's been no evidence of coercion or influence. Despite this, the House Republicans have challenged the GEC's mandate renewal. The lawsuit from Texas claims the GEC indirectly censors through grants to organizations identifying disinformation. The Federalist and the Daily Wire, involved in the lawsuit, were tagged as high risk for disinformation by a GEC-funded project. The debate continues over whether fighting disinformation is a form of censorship, with political effectiveness outweighing evidence.
Starting point is 00:23:24 In the world of tech and politics, it looks like the Global Engagement Center may be playing a high-stakes game of whack-a-mole, only this time it's not just propaganda they're dodging, but lawsuits and legislative curveballs. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Cyber Wire listeners, as we near the end of the year, it's the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry.
Starting point is 00:24:03 We'd love to help you achieve those goals. We've got some unique end-of-year opportunities complete with special incentives to launch 2024, so tell your marketing team to reach out. Send us a message at sales at thecyberwire.com or visit our website so we can connect about building a program to meet your goals. We'd love to know what you think of this podcast.
Starting point is 00:24:26 You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
Starting point is 00:24:51 optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Ivan and Brandon Karp. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.