CyberWire Daily - Unpatched VMware ESXi instances attacked. Okatpus is back. Update on LockBit’s ransomware attack on ION. Charlie Hebdo hack attributed to Iran.
Episode Date: February 6, 2023New ransomware exploits a VMware ESXi vulnerability. Roasted 0ktapus squads up. LockBit says ION paid the ransom. Russian cyber auxiliaries continue attacks against healthcare organizations. Attributi...on on the Charlie Hebdo attack. Deepen Desai from Zscaler describes recent activity by Ducktail malware. Rick Howard looks at cyber threat intelligence. And the top US cyber diplomat says his Twitter account was hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/24 Selected reading. Ransomware Gang in Trading Hack Says Ransom Was Paid (Bloomberg) Regulators weigh in on ION attack as LockBit takes credit (Register) Russian hackers launch attack on City of London infrastructure (The Armchair Trader) Ransomware attack on data firm ION could take days to fix -sources (Reuters) Linux version of Royal Ransomware targets VMware ESXi servers (BleepingComputer) Ransomware scum attack old VMWare ESXi vulnerability (Register) Italy sounds alarm on large-scale computer hacking attack (Reuters) Italy's TIM suffers internet connection problems (Reuters) Italy sounds alarm on large-scale computer hacking attack (Jerusalem Post) Italian National Cybersecurity Agency (ACN) warns of massive ransomware campaign targeting VMware ESXi servers (Security Affairs) Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi (CERT-FR) VMSA-2021-0002 (VMware) CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers (Security Affairs) ‘0ktapus’ hackers are back and targeting tech and gaming companies, says leaked report (TechCrunch) Customizable new DDoS service already appears to have fans among pro-Russia hacking groups (The Record from Recorded Future News) Russian Hackers Take Down At Least 17 U.S. Health System Websites (MedCity News) Tallahassee Memorial HealthCare, Florida, has taken IT systems offline after cyberattack (Security Affairs) Iran responsible for Charlie Hebdo attacks - Microsoft On the Issues (Microsoft On the Issues) Piratage de « Charlie Hebdo » : un groupe iranien à la manœuvre, selon Microsoft (Le Monde) Iran behind hack of French magazine Charlie Hebdo, Microsoft says (Reuters) Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT (Security Affairs America's top cyber diplomat says his Twitter account was hacked (CNN) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
New ransomware exploits a VMware ESXi vulnerability.
Roasted octopus squads up.
Lockvitz says Ion paid the ransom. Russian cyber auxiliaries continue attacks against healthcare organizations. Attribution on the Charlie Headbow attack. Deepin Desai from Zscaler
describes recent activity by DuckTale malware. Rick Howard looks at cyber threat intelligence.
And the top
U.S. cyber diplomat says his
Twitter account was hacked.
From the CyberWire
studios at DataTribe,
I'm Dave Bittner with your CyberWire
summary for Monday, February 6th, 2023.
France's Computer Emergency Response Team, that's CERT-FR, and Italy's National Cybersecurity Agency have both warned of a widespread ransomware campaign that is exploiting a vulnerability in VMware ESXi servers.
The ransomware is exploiting CVE-2021-21974, which VMware patched in February 2021.
which VMware patched in February 2021.
Bleeping Computer says at least 3,200 servers around the world have been infected.
CertFR recommends that organizations apply all patches for ESXi hypervisors and also verify that their systems haven't already been compromised.
The ransomware appears to be based on Babook source code.
The ransomware appears to be based on Babook source code.
TechCrunch reports that the threat actor known as Octopus is now targeting the technology and video game sectors.
The threat actor compromised more than 130 organizations last year using simple phishing kits.
According to a report obtained by TechCrunch, Octopus is launching phishing attacks against video game companies,
as well as business process outsourcing companies and cellular providers.
Some of the targeted companies are said to include Roblox, Zynga, MailChimp, Intuit, Salesforce, Comcast, and Grubhub.
Group IB published an extensive report on Octopus last August. Indeed, they're the ones who declared it roasted. The researchers say the criminal group combined simplicity with
sophistication and its tentacles were groping at credentials. TechCrunch reports a consensus
among researchers that Octopus is the same group known elsewhere as Scattered Spider.
that Octopus is the same group known elsewhere as Scattered Spider.
The UK-based ION trading group, hit by a LockBit-claimed ransomware attack that began on Tuesday,
has reportedly paid the ransom asked of them by the threat group, Bloomberg reported Friday.
Bloomberg News cites a LockBit group representative who told them that the ransom was paid and that the gang
provided a decryption key to unlock the compromised computers. The person or entity behind the ransom
payment, as well as the monetary amount, was not disclosed to the outlet. Reuters said last week
that the attack could take days to fix, though if the group representative is reliable, the decryption key provided may expedite the process.
The United States FBI has begun their own search for information on the attack,
in addition to UK regulators conducting individual investigations, Bloomberg wrote Friday.
MedCity News last week put the total number of U.S. healthcare facilities affected by
Killnet DDoS attacks at at least 17, while much of the activity has remained at nuisance
level that hasn't been the case with all of it.
Tallahassee Memorial Healthcare in the U.S. state of Florida took its IT systems offline
Friday and suspended emergency medical services, diverting most such patients to other
hospitals. It announced that for the time being, it would only accept level one traumas from its
immediate service area. The hospital said in its updates on the incident, we are safely caring for
all patients currently in our hospital and we are not moving patients to other facilities.
patients currently in our hospital, and we are not moving patients to other facilities.
However, we have rescheduled non-emergency patient appointments. Patients will be contacted directly by their provider and or care facility if their appointment is affected.
The record observes that attribution to Russian auxiliaries is still circumstantial,
but it seems nonetheless fairly clear. The attack on
Tallahassee Memorial Healthcare comes just one day after a group of pro-Russian hackers
announced DDoS attacks on hospitals in at least 25 U.S. states, knocking several offline for hours.
The Russian cyber-auxiliaries appear to have ready access to commodity criminal DDoS tools,
notably the Passion Botnet described last week by Radware,
who stated,
Passion Group, affiliated with Killnet and Anonymous Russia,
recently began offering DDoS as a service to pro-Russian hacktivists.
The Passion Botnet was leveraged during the attacks on January 27th,
targeting medical institutions in the USA,
Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom
as retaliation for sending tanks in support of Ukraine. Charlie Hebdo, the well-known French
weekly satirical magazine, was hit with a cyberattack that saw customer data stolen and leaked, Reuters reported Friday.
Microsoft researchers are attributing the activity to the Iranian threat group Neptunium,
which appears as eminent pasargad in the U.S. State Department's Rewards for Justice program.
Security Affairs wrote yesterday that the group claimed in early January to have stolen the personal data of over 200,000 Charlie Hebdo customers,
sharing a data sample that included the full names, telephone numbers,
and home and email addresses of people who'd either subscribed to
or purchased something from the magazine.
Microsoft says that the data was offered for sale at the price of 20 Bitcoin,
or approximately $340,000 at Friday's exchange rates.
The Rewards for Justice description of Emanet Pasargad explains that the outfit is a contractor,
an Iranian company that's done business under a variety of names.
It earned its place of dishonor in the Rewards for Justice program
through its
unsuccessful attempts to influence the 2020 U.S. elections. But the State Department says they are
not just ordinary trolls hanging out under some bridge in St. Petersburg. Emanet Pasargad, State
says, poses a broader cybersecurity threat outside of information operations. Since 2018, Emanet
has conducted traditional cyber exploitation activity targeting several sectors, including
news, shipping, travel, oil, and petrochemical, financial, and telecommunications in the United
States, Europe, and the Middle East. There's a reward of up to 10 million Yankee dollars for
information on the group.
If you'd like to drop a dime on them, you can do so on the State Department's special Tor site.
And finally, Nate Fick, U.S. Ambassador-at-Large for Cyber and Head of the State Department's
Bureau of Cyberspace and Digital Policy, tweeted Saturday,
My account has been hacked. Perils of the job.
What he means by hacked isn't further specified.
In any case, the hacked account is a personal one the ambassador uses for posts about
weather, mountain biking, and backcountry skiing,
which probably accounts for the refreshing shrug-off.
Ambassador Fick communicates officially through an official account at state CDP,
and that's a good practice.
Coming up after the break,
Deepin Desai from Zscaler
describes recent activity by DuckTale Malware.
Rick Howard looks at cyber threat intelligence.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, it's always great to welcome you back.
Hey, Dave.
So your CSO Perspectives show is in the middle of your 12th season, which is unbelievable to me,
especially since the Cyber Wire has only been around for seven years. So you seem to be running
at warp speed over there. We talked about this last week. This is dog years. That's how we count
these seasons in CSO perspectives.
Fair enough.
Fair enough.
Well, so far this year, or this season, I should say, you've been talking about some great stuff.
And what is on your docket for this week?
So back in season one, when we first started the show, we did an episode on cyber threat intelligence operations, or CTI.
And it was one of our most listened to shows.
So I really liked that one.
Yeah, I liked that one.
Yeah, I remember that one. You were talking about the intelligence life cycle, if memory serves me,
which is, that's the mechanics of how you collect intelligence. Now, didn't you say that that was invented by the U.S. military during and around World War II?
Yeah, that's right. They kind of invented the formal process after the war,
you know, when intelligence officers tried to explain what they did during the war. So,
you know, kind of, here's what we did. Yeah, that sounds good. But, you know, the whole operation
stuck. So, but it's been two years since that episode, and I was just thinking it was time for
an update. And I got a call from Landon Winklevoss before the holiday break. He's the co-founder and VP of content at NISOS.
They're a commercial intelligence firm.
And he thought it would be interesting to explore how the corporate world is systematically using their intelligence teams to help the business.
So I grabbed Landon for a deep dive conversation about the current state of cyber threat intelligence in the commercial world.
All right.
Well, that is the CyberWire Pro side.
What are you pulling out of the CSO Perspectives archives this week for the public side?
So, last week, we pulled an episode about single sign-on. And so, this week, it made sense that we
would couple that episode with a topic in the same general category, identity, kind of a double
feature, if you will, right? So, this week, we're pulling an episode
from May of 2002 about two-factor authentication. You know, when I listened to that show last year,
I really had no idea there were so many different ways to do two-factor authentication.
And, you know, with all things security, there's always that trade-off between the ease of use
and the degree of security.
Yeah, I didn't know all that stuff either until we did a deep dive on it, and we ended up covering several authentication methods in detail. We cover SMS, email, authenticator software tokens,
push tokens, and the latest entry into the field, universal second factor, or UTF it's called.
Well, before I let you go, what do you have for us this week on your Word Notes podcast?
So this week, the word is man in the middle.
I know you're familiar with that, Dave.
Yeah, it really is.
Yeah.
You know, because some things never go away.
And we think that the first documented use of a cyber man in the Middle attack was sometime in the early 1980s.
So on this show, we explain what it is, and we even demonstrate its use from one of my favorite hacker movies, War Games.
All right. Well, we will look forward to that.
Once again, Rick Howard is the host of the CSO Perspectives podcast on CyberWire Pro.
He is also our chief security officer and chief analyst.
Rick Howard, thanks for joining us.
Thank you, sir.
And joining me once again is Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, it's always a pleasure to welcome you back to the show.
I want to touch today on the DuckTail InfoStealer,
which I understand you and your colleagues have been keeping an eye on lately.
There's a new variant that you all are tracking?
Yes. Thank you, Dave. So DuckTale,
very interesting info-stealing malware. So just to
give you guys a background, ThreatLab's team tracks dozens of
different info-stealer families. So there's a group of researchers under ThreatLab
that are tracking changes in this threat landscape
where how the threat actors are evolving their tactics,
tool tactics and procedures to steal a variety of information.
So as part of that tracking activity,
we came across a new variant of DuckTale InfoStealer
and that is being actively distributed
by pretending to be a cracked software.
Nothing new over there. We've seen other families leverage
that tactic before as well. It includes a variety of applications
like gaming apps or Microsoft Office application.
We saw Telegram and some of the other popular apps as well
being used by the gang.
So someone's looking to get themselves a cracked version of software and they get a little more
than they were counting on. Exactly. And so what exactly does DuckTale go after? Is it just a
pretty broad info stealer? Yeah, so just some background. I mean, DuckTale is not net new. I mean, they've been
around since at least 2021. And it's attributed to a Vietnamese thread group. The campaigns that
the team has tracked since last year were all focused on taking over Facebook business accounts. And the intent over there is to either manipulate the page
or to access the financial information.
And the goal is to steal data and commit financial fraud over there.
The earlier versions that we saw were written using.NET Core, which is a Microsoft open source version of.NET.
And they were leveraging Telegram with that one to perform CNC activity and exfiltrate data, the data that gets stolen after the account hijacking.
The data that gets stolen after the account hijacking.
In August 2022, Zscaler Threat Labs team saw a new campaign consisting of the InfoStealer, which is in PHP version.
And again, it's still aiming to exfiltrate sensitive data, but it will target a little bit broad. I mean, it will look at things saved in the browser,
so saved credentials in web browser,
specifically targeting Facebook account information.
But rather than going after just Facebook business accounts, now they're targeting a broader consumer base as well.
And how exactly are they going after people on Facebook?
Are they going after their credentials?
Yeah, the goal over here is with the payload that I spoke about.
So folks who are looking for a free version of the software
will download a payload that is basically this malware
that will then run on the system, look for saved credentials, which includes Facebook,
business accounts, and the credentials get stolen. The threat actor is able to establish
access to the page, make changes. They're able to access even the financial information
related to the business account and get access
to basically steal that part as well to perform financial fraud.
You know, Deepan, usually when we talk about these things,
I ask you what folks can do to help protect themselves.
I suppose in this case, we lead off with don't download cracked software. Absolutely, yes. Don't look for free versions of licensed software.
Right, right. But suppose I'm running an organization here and one of my users does
this. Are there things that I should be on the lookout for? Yeah, I mean, look, in this case,
you need to have a strategy in place
that users will make a mistake.
They will click on those links
and they will download, you know,
at times, suspicious payloads.
So this is where your cloud sandboxing solution
plays a very important role
because many of these payloads are packaged near real time
when the user clicks on the link and tries to download them.
Now, not downplaying the fact that the inline engines,
whether it's the IPS engine, your scanning engines, all of those play a very
important role in blocking things that are known bad. But when the payloads are being packaged
near real time, you also need to have a sandboxing solution that's able to
detonate the payload, monitor the behavior, and convict the file based on activity it performs.
The other piece that I would always encourage is to include some of these
scenarios in your employee awareness training as well. It's important to make the employees aware
that in your quest for downloading that free version of the software,
you know, there's so many of these cases where you're inadvertently downloading a malware file
that can cause a lot of harm, not just to their individual system, but to the business overall.
All right. Well, Deepan Desai, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.