CyberWire Daily - Two-step supply-chain attack. Plugging leaks, in both Mother Russia and the Land of the Free and the Home of the Brave. Belarus remains a player in the cyber war.
Episode Date: April 20, 2023The 3CX compromise involved a two-stage supply-chain attack. Impersonating ChatGPT. Russia's security organs say they're cracking down on leaks. Updates on the Discord Papers case. Belarus arrests a p...ro-Russian hacktivist. Rob Boyce from Accenture Security on Dark Web cyber criminals targeting CRM systems. Our guest is Mike Loewy from the Tide Foundation, with an innovative approach to distributed key security. And, is Minsk going wobbly on Moscow? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/76 Selected reading. 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (Mandiant) ChatGPT-Themed Scam Attacks Are on the Rise (Palo Alto Networks Unit 42) Russian Offensive Campaign Assessment, April 19, 2023 (Institute for the Study of War) Belarus-linked hacking group targets Poland with new disinformation campaign (Record) Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama (Flashpoint) Belarus-linked hacking group targets Poland with new disinformation campaign (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The 3CX compromise involved a two-stage supply chain attack, impersonating chat GPT.
Russia's security units say they're cracking down on leaks.
Updates on the Discord Papers case.
Belarus arrests a pro-Russian hacktivist.
Rob Boyce from Accenture Security on dark web cyber criminals targeting CRM systems.
Our guest is Mike Lowy from the Tide Foundation with an innovative approach to distributed key security.
And is Minsk going wobbly on Moscow?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, April 20th, 2023.
Mandiant reported this morning that the exploitation of 3CX, a supply chain attack,
was itself enabled by a previous supply chain attack.
The company's report said,
In March 2023, Mandiant Consulting responded to a supply chain compromise
that affected 3CX desktop app software.
During this response, Mandiant identified that the initial compromise vector of 3CX's network
was via malicious software downloaded from Trading Technologies' website.
This is the first time Mandiant has seen a software supply chain attack
lead to another software supply chain attack.
The attack is being attributed to UNC-4736, generally regarded as a North Korean threat actor.
Its activities have been related to the financially motivated North Korean apple juice activity,
as reported by CISA.
Palo Alto Network's Unit 42 wrote today that they're observing increased malicious activity
impersonating chatGPT.
The hackers have been seen creating sites claiming to be open AI and attempting to trick users into sharing personal information
or even in some cases paying for the ChatGPT service.
From November of last year through early this month,
the researchers observed a 910% increase in web domains that were chat GPT
related. They say that in this same time frame, we observed a 17,818% growth of related squatting
domains from DNS security logs. Detections of around 118 chat GPT-related malicious URLs were also caught daily by the company's URL filtering system.
The faux sites are said to be reminiscent of OpenAI's legitimate site,
but seek to exfiltrate user data or even attempt to make the user pay for chat GPT,
which, when legitimately used through OpenAI, is free.
The Institute for the Study of War reports that Russia's FSB
is undertaking a comprehensive overhaul of the company's security apparatus,
apparently in response to a growing concern about leaks and security breaches.
The Institute says,
Russian state-controlled outlet TASS reported on April 19th
that the FSB and the main directorate of the security service of the Ministry of Internal
Affairs have been conducting mass checks at the Moscow Central District Internal Affairs Directorate
and several Moscow district police offices for the past several weeks due to the leakage of data from Russian
security forces at the request of Ukrainian citizens. Police departments appear to be the
focus of what amounts to an incipient purge. The researchers state the reported FSB and MVD raids
on the Moscow police departments are occurring against the backdrop of a series of arrests and
dismissals of prominent members of the Roskvardia Russian National Guard leadership. The Kremlin may
be pushing for such arrests and investigations in order to conduct an overhaul of the domestic
security apparatus to oust officials who have fallen out of Kremlin favor and consolidate
further control of internal security organs.
That's certainly possible, and there's plenty of historical precedent in Russia for this sort of purge,
but the possibility that the security organizations are spooked by leaks is also a real one.
The U.S. has also had recent difficulty with leaks.
The U.S. has also had recent difficulty with leaks.
Jack Teixeira, the Air National Guardsman alleged to have taken and leaked the Discord papers to a small group of young and besotted followers on the gamer social platform, has been charged, is in custody awaiting trial, and has yet to enter a plea. The New York Times, which has published a review of where the case stands,
comments on the apparent motive,
which appears to be devoid of the usual elements of ideology or political commitment
and also of any compromise or financial gain.
The motive seems to have been as simple as a desire to show off in front of online friends.
The head of Anonymous Russia, a young man who went by the hacker name Raiti,
has, according to Killnet, been arrested by Belarusian authorities, Flashpoint reports.
It's worth noting that this particular group is not the Anonymous that sought to pester Russia,
but rather an alternative organization devoted to Russia's cause
and operating as a kind of junior partner to Kilnett.
Kilnett has said it would appoint a new leader for Anonymous Russia.
The reconstituted group will concentrate on two things.
First, they've declared a war on CIA rats, an expression that in their reading means pro-Ukrainian hacktivist groups,
such as the IT Army of Ukraine,
a group of pro-Ukrainian hacktivists formed shortly after Russia's 2022 invasion,
which is specifically named in one of the channel's messages.
The mention of this trope, lifted from Russian propaganda,
is likely meant to confirm the new group's pro-Kremlin credentials.
is likely meant to confirm the new group's pro-Kremlin credentials.
Second, the group has also announced that it would transform itself into a DDoS-for-hire group that anyone can purchase.
However, it also specified that the project would be aimed at Dark Web 2.
This latter announcement suggests that Anonymous Russia
will perform DDoS attacks against darknet markets similarly to
Killnet. It's unclear why Raiti was arrested, but Killnet was quick to identify and Forcepoint says
dox him. The reconstituted Anonymous Russia seems to be moving, along with its better-known and more
active, bigger colleague Killnet, in the direction of a profit-making enterprise.
Last month, Killnet said that it was organizing itself as a private cyber operations corporation
along the lines of the Wagner Group, the notorious private military corporation.
The rise of Wagner-like groups in cyberspace was the subject of a warning this week by the UK's NCSC,
space was the subject of a warning this week by the UK's NCSC, which, according to the record,
is warning that such groups are expected to represent a particular threat to critical infrastructure. And finally, lest one conclude that the arrest of Reti was a sign that Minsk
was going wobbly on Moscow, that's pretty clearly not happening. Ghostwriter is back.
that's pretty clearly not happening. Ghostwriter is back. Polish authorities say that a major propaganda campaign by the Belarusian group Ghostwriter was detected on April 18th.
Attribution was unusually quick and Poland has taken steps to control any damage.
The record reports the group's goal in Poland is to disrupt the country's relations with its allies,
including Ukraine, the U.S., and NATO countries, according to Poland's Ministry of National Defense.
The group's campaigns have also aimed to foment social unrest among Polish citizens.
It's that old familiar mischief-making. Don't worry about persuasion. Just go for confusion.
Coming up after the break, Rob Boyce from Accenture Security on dark web cyber criminals targeting CRM systems.
Our guest is Mike Lowy from the Tide Foundation with an innovative approach to distributed key security.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak.io. access keys that splits them into millions of pieces distributed across 20 distributed servers around the world.
Mike Lowy is co-founder of the Tide Foundation.
What we're looking to do is to redefine the authority model in the digital world.
Today, we have a scenario where the security of our systems
and the protection of sensitive information is all, at the end of the day,
reliant on blind trust.
Blind trust in the people that build, administer,
and manage our IT systems.
Those people today have effectively carte blanche authority
over the sensitive information that these systems hold.
And we're looking to redefine that so that's no longer the case.
When we say blind trust, what exactly do we mean by that?
So if you think about, even take into account zero trust.
So zero trust, a methodology that was kind of introduced 10 years ago.
But even with the implementation of zero trust,
we're still seeing the most horrific breaches in history
and breaches have increased in frequency and severity.
And the reason for that is because no matter how much effort we put into applying that
model of constantly verifying and checking and making sure that whoever we're providing this
access to is who they say they are, there is some kind of root authority, something somewhere that
has to make that final decision of can I provide access to
this resource? Can you swipe and open this front door? Can you access this file? And that authority
lives somewhere on something and is administered by someone. And that means that there's always
this kind of Achilles heel that exists inside of a system, whether it's the identity and access management system, the firewall,
whatever security apparatus it is, and there's no way to verify
the integrity of those people administering those systems,
whether there's malintent or whether they're just human beings
that make mistakes, accidentally click on the wrong links.
That's what I mean.
And so what is it that you're proposing here?
What's the technology behind what you're looking to accomplish here?
So if you think about even a banking system.
So a banking system holds a huge amount of information on its customers.
It would have identity information, financial history,
all kinds of information that at certain points in time
is required by the bank,
at certain points in time is required by the customer.
But beyond those points in time when that information is needed,
the system, there's no good reason for the system to have access
or authority over that information.
In fact, it doesn't want it because it's a liability for the bank and it's a huge risk
for the end customer if that information is then appropriated or misappropriated.
What we're looking to do is using a technology to effectively decouple the authority over digital assets, for want of a better word, whether that's like identity information, financial information, or even network access rights, and decouple that from the systems that today it lives inside of.
So if you think about each custom record in a bank being locked with a different key and none of those keys sitting
in the bank system anymore.
So even your super users, your administrators don't have access
to those keys.
And putting those keys somewhere where they can be used only as appropriate, but cannot be stolen, cannot
be used in a context outside of what they were designed to do.
And from a technology perspective, what we've done is to have those keys not live anywhere,
but kind of live everywhere. So a key is in fact born in 20 pieces
across a fully decentralized network
and operated in a way that it's never actually put together.
So effectively, no one holds that key.
Well, help me understand here,
because I think a common line of thought here could be that don't you need a key
to access the keys? It's keys all the way down, right? I think about even with something like my
password manager or something like that, ultimately there's a master key. But what you're saying is
you all have found a clever way around that. So yeah, so that's an awesome question.
So your master password to your password manager is effectively the keys to the kingdom.
The question is, where does that key sit? Where does that master password live?
And how is that master password authenticated or validated to check that you've entered
that password incorrectly?
authenticated or validated to check that you've entered that password incorrectly.
So if that is being performed by any single server, any centralized service, again, which is administered by people or is accessible to people, then it's always compromisable.
If that process of even validating a password is done in a way that no one ever gets to see the password,
password doesn't live anywhere in that kind of singular form, then the integrity of the
process that checks that password is sacrosanct, can't be circumvented, and there's no longer
a central repository holding all those usernames and passwords and sitting in one convenient place for an attacker to steal and kind of perform all kinds of interesting brute force attacks offline.
So what we've developed is a way to authenticate a user, be it first or second factor.
Obviously, adding additional factors is highly advisable,
but starting with just that very root, ubiquitous form of authentication, username, password,
but making sure that that password lives nowhere and that password is checked in a way that
no one actually gets access to the secret, to the password itself.
And we do that using a decentralized network
where it's almost like multiple servers
performing a small part of that process
in a way that reveals no information to them
and in fact that those servers don't even know
what they're doing and for whom.
And what does all this look like to the user?
What's the user experience like?
Absolutely no change to the user experience.
So from the end user's perspective,
they're typing a username and password into their banking platform
or their social media site or whatever they're authenticating to. Behind the scenes, that password is being authenticated by 20 different endpoints simultaneously
rather than one singular source.
So as far as the user is concerned, they enter a username and password.
That could be through a browser, but there's no one in the middle that can compromise that process.
That's Mike Lowy from the Tide Foundation.
And I'm pleased to be joined once again by Robert Boyce.
He is Managing Director and Global Lead for Cyber Resilience at Accenture.
Rob, we have been tracking that some folks on the dark web are coming after folks who are using CRMs,
these customer relationship management systems. And I know that's been a focus for you and your colleagues there at Accenture.
What can you share with us today?
Yes, thank you again for having me, Dave.
It's always a pleasure being here.
Yeah, this has been a really interesting area of research for us.
We have seen a significant increase in threat activity against CRMs in the last year.
When I say significant, I'm talking
400% or more. And we, of course, then started asking ourselves, well, why is this happening?
And what do we think is driving this? And historically, CRM systems haven't been a huge
target for, say, ransomware threat actors, because it's very hard to move from a CRM
into the other parts of the environment that allow you to compromise
and launch ransomware. But we've also seen a huge evolution recently with ransomware gangs,
or I guess threat actor groups like Carriker and Lapsus, where they have been moving to extortion
only through data theft, data theft extortion attacks. And what that really means is they're looking at stealing data and then
extorting the owners of that data
for funds to try and receive payments.
So that's, I think, since that's been having so much success recently,
I think we're starting to see this as becoming now evolving into a true
threat ecosystem because we're also seeing initial access brokers focus on being able to harvest credentials for CRMs specifically and sell those on the dark web.
We're actually also seeing threat actors develop zero days specifically for CRM systems, which we had not seen really either of those two things before.
We've seen these initial access brokers sell access,
used to be just a year ago, hundreds of dollars.
And now we've seen it all the way up to $30,000
to purchase access to these systems.
So people are starting to realize the value of the data
and how it can be used, not just from an extortion point of view, but also how that data can be used to be weaponized in secondary attacks, as an example.
that they don't want the notes that they've left about their customers and the various stages they may be along in a sales process.
They want all that to stay private.
Yeah, well, I think the industries we're seeing most targeted by this right now
are healthcare, financial services, telco, legal,
industries that are very highly regulated.
And so it's probably an aspect of embarrassment,
but there's also an aspect of the regulatory implications
with that data being stolen.
And so I think there's that.
I also think that those industries are very unique
in the way you could weaponize that data for secondary attacks.
As an example, I think we talked about this once before,
being able to have data from a CRM would give you an immense amount of information
to launch a very sophisticated or high-fidelity email business compromise attack
or being able to have much more successful phishing attempts for an organization.
And then when we think about the industry angle from a telco point of view, if you're
able to steal a lot of telco data around consumers, you could use that for a large-scale
SIM swap campaign from a threat actor point of view.
So I think the threat actors are finding very innovative
or maybe unique ways to be able to leverage organizations' data
rather than not just stealing it and holding it for ransom or extortion,
but it's really how they're using that data to enable secondary attacks.
The CRM providers, are they stepping up here?
Are they reaching out to their customers
and saying, you know, make sure that you're interacting with us in a secure way? Anything
happening from that end? Yeah, I think we're seeing CRM providers establish more secure
options within their platforms, right? Like being able to use two-factor authentication, etc.
And I think that's great. I think organizations also need to understand
that this is now becoming a true target for threat actors.
And before, yes, it was always important,
but it was never seen as a true target for threat actors.
And I think organizations have spent a lot of time,
especially regulated organizations,
have spent time understanding their important data,
or I say regulated data, but I think now, or I say regulated data,
but I think threat actors are now being able
to leverage non-regulated data for very,
again, for weaponizing for secondary attacks,
for more innovative and unique ways.
So I know I would say to organizations,
just we need to think about data
a little bit more broadly
rather than just point-in-time regulated data that's
required to be secured. I think we need to think about a broader data protection strategy for
organizations. And I think they also need to think about the CRM systems with the same level of
security control as they would for other systems. I think these have just been, you know, overlooked in the past for a large part.
All right.
Well, interesting insights for sure.
Rob Boyce, thanks so much for joining us.
Cyber threats are evolving every second, Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. Thank you. Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was written by
John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Data Products Platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.