CyberWire Daily - Two RAT infestations. Ghosts of sites past. Trends in identity security. Detecting deepfakes may prove more difficult than you think.
Episode Date: May 31, 2023SeroXen is a new elusive evolution of the Quasar RAT that seems to live up to its hype, and DogeRAT is a cheap Trojan targeting Indian Android users. Salesforce ghost sites see abuse by malicious acto...rs. A look into identity security trends. People may be overconfident in their ability to detect deepfakes. Deepen Desai from Zscaler describes a campaign targeting Facebook users. CW Walker from Spycloud outlines identity exposure in the Fortune 1000. And a blurring of the lines between criminal, hacktivist, and strategic motivations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/104 Selected reading. SeroXen RAT for sale (AT&T Cybersecurity) Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian Android Users (The Hacker News) DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries (CloudSek) Ghost Sites: Stealing Data From Deactivated Salesforce Communities (Varonis) 2023 Trends in Securing Digital Identities (Identity Defined Security Alliance) Jumio 2023 Online Identity Consumer Study (Jumio) Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals (Trend Micro) Ukraine's DELTA Military System Users Under Attack from Info Stealing Malware (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cerozen is a new elusive evolution of the quasar rat that seems to live up to its hype,
and DogeRad is a cheap trojan targeting Indian Android users.
Salesforce ghost sites see abuse by malicious actors,
a look into identity security trends,
people may be overconfident in their ability to detect deep fakes.
Deep and Desai from Zscaler describes a campaign targeting Facebook users.
C.W. Walker from SpyCloud
outlines identity exposure in the Fortune 1000.
And a blurring of the lines
between criminal, hacktivist, and strategic motivations.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, May 31st, 2023. AT&T has reported their discovery of a new fileless remote access Trojan, Serozen.
The tool is advertised as legitimate, giving access to computers while flying under the radar for the very low cost of only $30 a month or $60 for a lifetime.
This rat seems to live up to its hype. AT&T says it's performing well at evading detections
and that it effectively combines open-source projects, including Quasar Rat, Serogen's
progenitor. Quasar Rat, released in 2014 as X-Rat, has been used by the Gaza Cyber Gang Group and Menu Pass Group since 2017.
AT&T writes that Sarozen was first observed on a Twitter account in 2022, with the advertiser appearing to be an English-speaking teen.
The carrier writes that the same Twitter handle published a review of the rat on YouTube.
The video approached the review from an attacking and red team point of view, encouraging people to buy the tool because it is worth the money.
The reviewers were claiming to be a reseller of the tool.
AT&T's Alien Lab regards the Cirozen rat as elusive, hard to detect, and worth keeping an eye on.
Citing research by CloudSec, Hacker News reports that another new remote-access Trojan rat,
DogeRat, has been observed targeting Indian Android users. The malware seems to have been
created in June of 2022, shortly after which it was advertised on its Indian developer's Telegram page.
DogeRat, like its namesake cryptocurrency, is regarded as cheap at $30 a month
and is viewed as an effective money-making scheme.
It exploits consumers by masquerading as legitimate premium applications
like Netflix, OpenAI's ChatGPT, or YouTube Premium.
CloudSec reports that once the RAT is installed,
sensitive data is accessed, including contacts, messages, and banking credentials.
They add that the malware is capable of controlling the victim's device
and performing malicious actions, such as sending spam messages,
making unauthorized payments, modifying files,
viewing call records, and even taking
photos via both the front and rear cameras of the infected device. Experts recommend not downloading
free versions of premium services from social media pages. They are too often malicious.
And in the end, they often cost more than the premium services they impersonate.
and they often cost more than the premium services they impersonate.
Unmaintained and incorrectly deactivated Salesforce sites remain accessible online,
and so, unfortunately, accessible to threat actors, Varonis reported today.
If the host header is manipulated, malicious actors may be able to gain access to personally identifiable information and sensitive business information.
be able to gain access to personally identifiable information and sensitive business information.
The Salesforce sites allow for collaboration among customers and partners within an organization's Salesforce implementation. However, these ghost sites, as Varonis has aptly labeled them,
are often merely set aside when they're no longer in use, not fully deactivated as sound practice
would dictate. This means that the security
measures implemented on the sites are often not up to par with current cybersecurity protections.
On top of a lack of updates to the ghost site's security measures, they also remain untested
against newer vulnerabilities that appear after the site is no longer actively used.
Many companies only modify the DNS records of their Salesforce site
to direct to an alternative,
but researchers say that companies often do not remove the custom domain in Salesforce,
nor do they deactivate the site.
Instead, the site continues to exist, pulling data and becoming a ghost site.
Since the ghost site remains accessible in Salesforce,
the change to
the host header tricks Salesforce into believing the actor is connecting to the original site
and grants access to the malicious actor. Varonis advises full deactivation of unused
Salesforce sites to prevent such attacks from lifting sensitive data that may be left exposed otherwise. The Identity Defined Security Alliance, the IDSA,
released its 2023 Trends in Identity Security report conducted by Dimensional Research.
The report discusses identity security and its place in cyber
and how it impacts security challenges and outcomes.
Identity security remains a major cybersecurity focal point. 90% of those surveyed
reported an identity-related breach within the last year. 17% of respondents say digital identity
security is their top priority. 44% place it in their top three, and 25% put it in their top five.
A majority of respondents report being targeted by phishing attacks in the last 12 months,
with 57% reporting that employees clicked on a phishing email without realizing it.
Shared passwords between work and personal accounts were said by 37% of the respondents
to be a factor in identity-based attacks. The cost of breach recovery alongside distraction
from business operations and a damaged reputation were cited as the top business impacts from identity security breaches.
A global survey by Jumio found that 52% of its respondents who were aware of generative AI and deepfakes believed that they could detect a deepfake video.
believe that they could detect a deepfake video.
Jumio asserts that this is an example of overconfidence with the consumer,
as deepfakes have reached a level of sophistication which would prevent an unaided human from detecting them.
Jumio says that the data also shows a steady uptick
in the use of increasingly sophisticated deepfakes across the globe and across industries
with a heavier presence in the payments and crypto sectors. Jumio suspects that training will find it difficult to keep pace
with the growing quality of AI-created media. And finally, Trend Micro describes the recent
activity of Void Rabisu, a malicious actor believed to be associated with the rom-com backdoor. It's a Russian,
or at least a Russophone, gang, and until the last few months, its activities and motivations
have generally been assumed to be straightforwardly criminal, motivated by financial gain.
Also known as Tropical Scorpius, Void Rabisu has been associated with the Russian intelligence-linked Cuba ransomware operation,
and since late 2022, the gang's targeting has increasingly matched Russian state interests.
Trend Micro writes that Void Rabasu's associated rom-com backdoor
was reported to have been used in attacks against the Ukrainian government and military,
and specifically notes a December 2022 phishing
campaign that impersonated the Ukrainian army's Delta situational awareness website.
The target selection is that of an intelligence service. The tactics, techniques, and procedures
are those of a criminal gang. Trend Micro thinks that Void Rabasu's targeting has been connected to Russian strategic goals since October of 2022.
The group's evolution shows the continued blurring of lines between hacktivists, intelligence services, and criminal gangs.
Of those three, in Russia's case, the intelligence services are clearly in the saddle.
in the saddle.
Coming up after the break,
Deepen Desai from Zscaler describes a campaign targeting Facebook users.
C.W. Walker from SpyCloud
outlines identity exposure
in the Fortune 1000.
Stay with us. Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is critical for security,
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
CW Walker is Director of Security Product Strategy at SpyCloud, a cybercrime analytics firm. They recently released results from their latest identity exposure report focusing on the Fortune 1000.
report focusing on the Fortune 1000. By looking at the Fortune 1000, it looks very specifically at companies that are most likely to become targets for some of the most nefarious stuff.
It's true that a small mom-and-pop shop can become a target for ransomware or fraud or theft.
The impact, though, on citizens globally is probably a little bit
smaller if it's a local dance studio versus a regional bank, right? So that's where we drew
the line in the sand is with the Fortune 1000. Yeah, fair enough. Well, let's go through some
of the findings here. What are some of the things that really caught your eye?
go through some of the findings here? What are some of the things that really caught your eye?
Yeah. So this year we analyzed a little over 2 billion, I think it's 2.2 some odd billion exposed dark web assets, which included 423 million PII assets, which is kind of wild.
PII assets, which is kind of wild. And that comes from two sources primarily. One is data breaches.
So databases that have their entire user tables siphoned off. And then the other place that we see a lot of this is with malware infected devices. So stealer logs and that type of thing.
So tied more specifically to individuals that are interacting with or that are employed by Fortune 1000 companies that have unfortunately during the course of their digital lives interacted with a piece of malware.
One thing that you track here are the trends that you're tracking over time, of course.
And what are some of the things that stood out to you there?
I think the thing that probably shocked me the most was an almost 800% increase over our last year's consumer-infected devices in the financial sector,
which kind of surprised me. And so part of that, we believe, is looking at
the way that criminals are trying to monetize things. So we've got some speculation on why
that might be. Over the past year, we saw the value of cryptocurrency change pretty dramatically.
we saw the value of cryptocurrency change pretty dramatically. And so maybe they're more interested in fiat, right? Going back after our hard dollars and cents. But we also are seeing a 300% year over
year increase in malware infected employees tied to financial companies, which I think also gives
an interesting view into the types of fraud that they're able to
commit. And those are different types of activities. They're related more to things like
trying to unfreeze accounts, to empty accounts that have been compromised, that maybe have a
block technologically to prevent that type of fraud. So trying to leverage those infections for
insider threat type of situations. One of the things that caught my eye when I was looking
through the report was the degree that some of these organizations are still struggling with
the basics, things like password hygiene. Oh, yes. As an industry, I think we're really excited about new and powerful things. PassKeys has been on everyone's lips the past couple of weeks with Google having the option to move to PassKeys instead of passwords.
Adoption for even things as simple as complex passwords or two-factor authentication is still very, very, very low. And we even see password reuse among employees in the Fortune 1000 is still at 62%.
And the financial sector still had the worst password reuse rate at 68%.
So you're right. Some of the simple things are
still tripping, I think, a lot of industries up, but we are seeing things improve marginally
on some of those things. Good to be half full, right?
Yeah, it's a bad percentage, but it did change one percentage point in a positive direction. So we'll take what we can get.
Okay. All right. Well, based on the information that you all have gathered here, what are your recommendations then? unique passwords and complex passwords for each account that we're using, whether in our
employee lives or our personal lives, that is by far the biggest thing that individuals can do to
protect their security. And whether you're using a password manager, if that's something that
interests you, or you're using the operating system password manager in iOS or Android,
creating a unique password to save in that password manager is pretty important. And so
we recommend that. And on the enterprise side, what we're really looking at is for those enterprises
that do have a pretty sophisticated program that has multi-factor or is moving to pass keys to consider new ways to gain visibility beyond authentication into session identities.
they can get into accounts that have a really stellar login protection, but stealing, for example,
a device cookie or a session token after authentication so that they bypass that completely. Those are the two things we recommend. You allude to the fact that maybe we are slowly
heading in the right direction here. Are you optimistic that we can get a handle
on these things? I'm eternally optimistic. Yeah, I am. I think that what we will do is we secure
what we can and we increase the costs of operation for criminals. And even if we're not able to
completely eliminate the things that we have challenges with,
if we can eliminate a percentage of it, that makes a meaningful difference for individuals
and companies. And I think that that's something to be proud of as an industry.
We can always do better, but I'm optimistic that we're moving in the right direction and
that we are making some changes that will help. That's C.W. Walker from SpyCloud.
And I'm pleased to be joined once again by Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, always a pleasure to welcome you back to the show.
There is something that you and your colleagues have been looking into here,
and it's something called Album Stealer.
This is targeting folks on Facebook.
What's going on here?
Yeah, so look, there are so many information-stealing malware
that we see in the Threat landscape today.
ThreatLab's team discovered a new stealer family.
We dubbed it as Album Stealer.
It's actually targeting Facebook adult-only content seekers,
and I'll explain what I mean by that.
So what we saw was there was an album stealer, which is disguised as a photo album.
It has some adult content.
It will drop some decoy adult images while performing malicious activity in the background. So the way the attack starts is
there is a Facebook fake profile page, which is where this album supposedly exists. When the user
falls for it, they will download a zip file, which will be hosted on a compromised site or even OneDrive is what we saw in one of the attack chain.
The zip file contains album.exe file. This is what will have an icon that makes you feel like
this is an image. When you click on it, it will open an image file, but in the background, it
downloads and loads a DLL, which is the malicious executable.
And the goal over here for the threat actor is to steal cookies,
stored credentials from victims' web browsers.
It's also able to steal information from Facebook ads manager,
business accounts, API graph.
And then it obviously leverages this information to perform financial fraud,
sell this information to make more money,
and in future conduct follow-up attacks as well.
It doesn't strike me as being terribly sophisticated in its targeting here.
Is this one of the ones where maybe it's in our best interest to sort of spread the word about it,
let people know that on the chance that you're looking for this sort of thing on Facebook,
that maybe you need to think twice?
Yeah, I mean, look, the sophistication, the only piece I'll mention on that one is
they are using this technique called DLL sideloading.
So that technique in combination with some level of obfuscation, they're using, I'm kind of going geeky over here on this podcast, but concurrent dictionary class, which basically masks out all these strings and data in this executable file.
So DLL side loading will allow it to evade certain endpoint AV detection if they're not
looking for this.
And then the obfuscation is standard, right?
That's where they will try to evade the network-based filtering as well.
But you're right.
I mean, if you are in an office, if you're an enterprise user,
you're looking for this content on Facebook using your work laptop,
that's probably not the right thing to do.
It's an interesting little bit of social engineering, I think, also,
that, as you mentioned, uses an icon that is going to be alluring to someone
and hoping that that'll make them overlook the fact
that it's actually inexecutable.
Exactly.
Yeah, there is definitely a social engineering element
starting from the fake Facebook profile page
to the file using that icon and even showing the image.
The user may not even know what happened in the backend
because the user saw the image and they're like,
okay, that's the only thing they got.
All right.
Well, something to be aware of for sure.
Deepen Desai.
Thanks for joining us.
Cyber threats are evolving every second Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.