CyberWire Daily - Update: VMware ESXi exploitations. Super Bowl cyber risks. Scalping bots. The curious case of the Moscow billboards.
Episode Date: February 7, 2023VMware ESXi exploitations. Super Bowl cyber risks. Scalping bots. The curious case of the Moscow billboards. Joe Carrigan tracks pig butchering apps in online app stores. Our guest is David Liebenberg... from Cisco Talos, to discuss incident response trends. And, in sportsball, it’s gonna be the Chiefs by a couple of hat tricks, or something. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/25 Selected reading. Ransomware Hits Unpatched VMware Systems: 'Send Money Within 3 Days' (Virtualization Review) Massive ransomware attack targets VMware ESXi servers worldwide (CSO Online) CISA steps up to help VMware ESXi ransomware victims (SC Media) ‘Massive’ new ESXiArgs ransomware campaign has compromised thousands of victims (The Record from Recorded Future News) Have you clicked “Report Junk” lately on your #mobile device? (Proofpoint) CyRC special report: Secure apps? Don’t bet on it (Synopsys) DataDome’s Inaugural E-Commerce Holiday Bot & Online Fraud Report Reveals the US as the Top Source of Bot Attacks (DataDome) Darknet drug market BlackSprut openly advertises on billboards in Moscow (The Record from Recorded Future News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
VMware ESXi exploitations, Super Bowl cyber risks and scalping bots,
the curious case of the Moscow billboards,
Joe Kerrigan tracks pig butchering apps in online app stores,
our guest is David Liebenberg from Cisco Talos to discuss incident response trends,
and in sports ball, it's going to be the Chiefs by a couple of hat tricks,
or something like that.
From the CyberWire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 7th, 2023.
More information has come to light regarding the widespread ransomware attacks exploiting a two-year-old
vulnerability in VMware ESXi servers. The ransomware, which is being tracked as ESXi ARGs,
appears to be a new strain. SC Media reports that Europe has so far been the hardest-hit region,
followed by North America. The U.S. Cybersecurity and Infrastructure Security Agency
has offered its help, saying, CISA is working with our public and private sector partners to
assess the impacts of these reported incidents and provide assistance where needed. VMware
yesterday published a statement on the incident, noting that they have not found evidence of an unknown vulnerability,
a zero-day, being used. Most reports suggest the attacks are targeting products that are
end-of-general support or out-of-date, and that they can be addressed by upgrading to the latest
supported releases of vSphere components. VMware also recommends disabling the OpenSLP service in ESXi.
Versions released as of 2021 ship with this service disabled by default.
It's worth noting, again, that the vulnerability being exploited is one VMware patched last year,
and so mitigations and fixes are indeed available.
What follows is inevitably going to be an American thing, so rest of the world,
receive this with our apologies. This coming Sunday is, as you may have heard, the day on
which the Super Bowl will be played to decide the championship of the National Football League.
That's American football, friends, not the sort of football they mean in, say, the UK or most of
Latin America. We know, we know, the whole business has been completely devoid of interest
since the Baltimore Ravens were eliminated in the wildcard round, but apparently people in places
like King of Prussia, PA, and Peculiar, Missouri are following the build-up to the big game, which
no longer appears so big to the rest of us,
since, as I said, the Ravens are out of it.
Anywho, the scammers are trying to ride the NFL's hype cycle,
as scammers will.
Proofpoint describes a spike in Super Bowl-themed spam
over the past weeks,
and Synopsys casts a skeptical eye on sportsbook apps. Proofpoint
researchers say they've observed an 860% increase in smishing attacks during the NFL playoff period.
The vast majority of the text messages contained a shortened link leading to a malicious website.
The messages contained phony offers for iPad giveaways or free betting money. The researchers
expect these scams to increase as the Super Bowl approaches, and the researchers are probably right.
Free betting money might as well come with a lead-in. Step right up, and step right up they will.
The whole betting angle is entirely foreseeable.
Synopsys has just published a report looking at the security of the top 10 sports betting apps for Android devices. The researchers found that all of the apps use outdated open-source components that contain vulnerabilities.
The vulnerabilities aren't necessarily exploitable within the apps themselves, but they're not a good sign.
Synopsys says their presence indicates that developers and app stores
should refine their security practices, and Synopsys can say that again.
In the meantime, I'm checking my apps because that's what all the kids are doing nowadays.
We're taking, what, the Chiefs to cover?
Wait, wait, this mic was on? Oh, just kidding.
No gambling here, friends. And in any case, go Chiefs, or if you prefer, fly eagles fly.
Looking at other forms of online crime and fraud, Datadome has published a report on
e-commerce bot traffic during the 2022 holiday season, finding that bots are growing
increasingly capable of imitating human users. Most of the traffic observed by Datadome came
from IP addresses in the United States. This doesn't necessarily mean the spammers are in the
U.S., since they intentionally use IP addresses in the region they intend to target.
And the researchers note that most of Datadome's customers are located in the U.S.
98% of the bots were designed to scrape online retailers' inventory and buy items to be scalped. The two most targeted sectors were electronics and footwear.
The bots were particularly focused on gaming consoles and luxury or limited edition
clothing merchandise. It's striking how the digital versions of it fell off a truck and
I know a guy who knows a guy have cropped up. And finally, electronic billboards in Moscow
over the weekend displayed large prominent ads for Black Sprut, an infamous dark web contraband
market mostly involved in illicit drug sales. The record reports that the ads featured a woman in
what the record calls a futuristic mask, but which looks more like some kind of kinky erotic gear,
or so we've heard. We are unacquainted with that stuff here on what is, after all, a family show.
And the slogan,
come to me if you're looking for the best.
It's unclear why the ads appeared,
but the competing theories are that,
first, maybe it was an oversight.
Someone just slipped up,
and boy, are they in trouble.
Or the billboards were hacked,
or the ads were permitted.
That last one seems likeliest. Black Sprut is a successor
to the now-defunct Hydra illicit market, and it handles a lot of trade, perhaps nearly 30%
of the darknet market share globally. So Black Sprut may be too big to interfere with,
and this may simply represent an evolution in the long-standing coziness
between the Russian organs and the country's online gangs. So anyway, perhaps Mr. Putin wants
to fire up that app, treat yourself to some of that free betting money. We hear the smart play
is the Chiefs by a couple of home runs, or something like that.
After the break, Joe Kerrigan tracks pig butchering apps in online app stores.
Our guest is David Liebenberg from Cisco Talos to discuss incident response trends.
Stay with us. Do you know the status of your compliance controls right now? Like right now? We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Dave Liebenberg is head of strategic analysis at Cisco Talos,
where they recently released their quarterly incident response trends report covering the fourth quarter of 2022.
I spoke with Dave Liebenberg for the highlights.
Targeting is always interesting. just seeing what the trends are,
what are the industry verticals that are getting the most attention.
And this quarter, Q4, the top targeted vertical was telecoms.
Telecommunications was actually the top targeted vertical
nearly every quarter this year, apart from Q3, in which it was education.
So telecoms have just been a big, big target this year.
In previous years, it was hewed more closely to education,
manufacturing, and sometimes local government.
Any insights as to why telecoms might have this target on their back?
You know, I don't have definitive reason for it,
but to me, telecoms seem like a good target
because, one, it's a good way to maximize your threat service
and pivot into other high-value targets that you want to get to.
There's lots of legacy technology. There's lots of sensitive
information. And of course, there's lots of concern about downtime.
So I can certainly see why it's a popular target.
One of the things that you all pointed out here was that
there was a platform called Synchro that showed up a lot. Can you give us
some of the information about that? Yeah, definitely. So Synchro that showed up a lot. Can you give us some of the information about that?
Yeah, definitely.
Synchro is a remote management and monitoring tool for an RMM.
These types of tools, similar to TeamViewer or things like that,
we've seen a 10% increase in usage from last quarter to this quarter.
We've seen a 10% increase in usage from last quarter to this quarter.
And add to that, Synchro itself was actually observed in 30% of engagements this quarter.
So just a massive increase in the usage of that particular tool.
And we've seen it being used in a variety of different threats,
from commodity loaders such as Batloader.
We saw a Quackbot infection using it, phishing campaigns using it, ransomware using it. So it's very widespread and very popular among a diverse group of threat actors.
Another thing you all pointed out was a possible rebranding of the folks behind Conti.
Yes, that's correct.
Another one.
It seems like it's the rebranding that never stops.
But yes, Royal Ransomware, which is a newer ransomware family that we just began observing this past quarter,
appears to have been a rebrand from Conti, according to analysis
from various security firms.
And to me, one of the most interesting things
about the emergence of these new ransomware actors
and rebrandings and stuff like that is,
while ransomware has continued to be
the most dominant threat that we face
or that we see in IR engagements. It's been
that way for many, many quarters since we've done this. While that game has remained hot, the players
constantly shift because of infighting, because of law enforcement attention, because of, you know,
many different reasons so that we're constantly seeing newer actors emerge into the field.
constantly seeing newer actors emerge into the field.
You all pointed out that nearly 40% of the engagements use phishing emails as their way to establish initial access,
but also that folks still seem to be lagging
when it comes to multi-factor authentication.
Yeah, 30% of engagements this quarter
basically had MFA that was not robust enough.
Either they didn't have it at all, or they only had it on a handful of accounts
or critical services.
Our top recommendation has been very consistent for the past year
and change, really, which is you need to implement MFA.
It needs to be implemented on everything critical,
including EDR, VPNs.
All that needs to be locked down
because if the threat actor can uninstall your security systems,
then they're not going to be very effective.
MFA is hugely important,
and the amount of phishing attacks that we observed this quarter
just highlights how important it is and the gap that some enterprises have in implementing it.
Well, beyond MFA, what are some of happen in 2023 and thinking about future trends and stuff like that, I think phishing is just going to continue to get very, very effective.
And, you know, I think it has to lead to a little bit of a not if, but when mindset.
And, you know, I think recommendations along that line
is you need to think about harm reduction.
You need to think about getting that MFA on.
You need to think about segmenting.
You need to think about locking down powerful tools
like PSXec and PowerShell
to users who are very secure accounts.
And you have to have
sophisticated training for employees.
And most importantly, I always say this, you don't want to
learn how to put out the fire as a fire is happening.
So get an incident response plan in place, get an asset inventory
in place, get logging in place, and make sure
if something does happen, you're well positioned to help mitigate it.
That's Dave Liebenberg from Cisco Talos. The report is titled Incident Response
Trends in Quarter 4, 2022. We'll have a link in the show notes. And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute.
Joe, interesting article from the folks over at Ars Technica. This is written by Dan
Gooden, and he's actually referencing some research from the folks over at Sophos about
some pig butchering scams that have made their way onto some of the app stores. Can you unpack
what's going on here, Joe? Yeah, it's a convoluted scam. I mean, it's really big because the payouts are big. So pig butchering, or in what they're
calling it here in this story, which I like a little bit better because it doesn't sound so
gross, is crypto ROM, which is a combination of crypto currency scams with romance scams.
So the typical pig butchering scam is one where you, the scammer hooks up with
somebody, uh, usually through romantic, uh, interludes, right? Through some romantic pretext.
Okay. And over time, then the scammer tells the person, uh, yeah, well, I've been making money
with crypto here. Uh, here's how I do it. And I invest in this company.
And the victim then says,
oh, well, maybe I'll try some of that
with a little bit of money, right?
And they put a little bit of money in.
By the time this is going on,
by the way, the scammer already knows
about how much this person is going,
whether or not this person is worth their time to pursue.
I see.
Right?
Does this person have money that I can steal from them?
Mm-hmm.
And how much?
A good idea of how much.
So the person will put some money in.
That money will grow.
It doesn't really grow, but it looks like it's growing.
And then that person can even make a withdrawal
of the money they initially made.
Mm-hmm.
Right?
But if they put it in again,
they start getting these reports, oh, no, you can't
pull the money out now. You have to put more money in to get money out. And they just keep leading
the person on. And by they, I mean the organization, right? So, this article talks about the complexity
of these organizations and how big they are and actually how the bottom level of this organization is essentially a bunch of people who have been imprisoned, falsely imprisoned, human trafficking operations from other countries.
Their passports have been confiscated and now they have to participate or there's a threat of violence.
But up above them, there's people who build the infrastructure that is used for taking the money from people.
And what the crux of the story is, is that there have been two apps that Sophos found in both Apple's App Store and in the Google Play Store.
And these were initially a – one was a cryptocurrency price tracking app, and the other one was a barcode reader.
price tracking app and the other one was a barcode reader. And the way these things got through the vetting process was very similar to something that Charlie Miller did back in 2011.
I'm going to hearken back to that. Charlie Miller found a vulnerability in the process
of how apps were updated on the Apple App Store. At that point in time, it was called the iTunes App Store.
Remember that?
Yeah.
Who's Charlie Miller?
Charlie Miller's a security researcher.
Okay.
He was at Twitter for a while.
He and I actually were both working at Acuvant at the same time before he moved on.
I've never met Charlie.
I mean, Acuvant was a big company at the time.
Yeah.
But Charlie Miller and Chris Valasek are the ones that hacked the Jeep.
Oh, yeah, sure.
Yeah, that's Charlie Miller.
Okay.
And he's really good at hacking Apple products.
I think another thing he did was, it may have been Charlie that did this,
he put malware on the battery controller for an Apple MacBook.
But Charlie's really smart.
And back in 2011, he found a way to get an app, a malicious
app into the app store. And what he did was he submitted an actual app. And then after the app
had been approved, he published an update to the app with unsigned code and Apple just pushed it
out. And he went to Forbes and disclosed the vulnerability. I don't know if he went to Apple
first. I don't know the details. But as soon as the story went public, Apple suspended his
developer account for a year, which I was very critical of. That's not how you reward security
researchers. But this is kind of the same thing. It works very similar. But these apps don't
publish new code. What's happening is outside of Apple and Google's control. So these apps all have
dynamic content on them that is provided from a website. Right. After the app has been approved,
the back end of that website changes to provide malicious content that lets people use this interface as if it were a crypto exchange.
And it's not.
It's just a theft of cryptocurrency.
So what happens is there's no banks involved at all.
These people tell the victim, go to Binance, which is a legitimate cryptocurrency exchange you can give money to.
So they're leveraging that infrastructure.
They're saying, buy some cryptocurrency, send it to this app over here, this exchange over here.
Which you can do.
You can send cryptocurrency between exchanges just by sending it to another address.
Let's say a Bitcoin address.
Right.
And that works just fine.
Like, you could easily exchange between, like, Kraken and that works just fine. Like you could easily exchange between like Kraken and
Coinbase or Binance and Coinbase, whatever. Any of these, but you could send money this way
legitimately all day long, but you could also be duped into sending it illegitimately. And that's
what happens. These guys then start their scam and they start telling people to put more and more money into it.
And we had a story on Hacking Humans about a guy that had his entire retirement drained by a
similar scam, though it wasn't cryptocurrency-based, but it was like stock market-based. So we got
these guys that run a hedge fund and they're making tons of money. And that guy looked at his
website every day and was like, man, I'm killing it.
And eventually put all of his money into there.
And then once he stopped putting money in, they shut it down and took his money and left.
Right.
And that's what happens here.
They shut down the, you know, they stopped communicating with you.
Your money is already gone the moment you send it to them once you've put a significant amount into it.
But the last part of this article is really telling. I'm just going to read it. He
says, it's easy, I guess this is Dan Gooden that says this, it's easy to read the details of these
scams and wonder how anyone could fall for them. Sophos and others say the victims who get taken in
are often well-educated, some with PhDs. Some of the techniques responsible for success include the length of the engagement
the scammers have with the victim and the proof of the initial withdrawal is possible. Combined
with the emotional vulnerability of some victims, the rise of app-based finance, and the unwitting
role played by companies like Apple and Google, these and other techniques have proven effective.
So one of the major points that Gooden makes in this article
is that when you go to the App Store,
especially the Apple App Store,
you generally have a high level of trust
with the app that's in there by default.
Right.
And these guys have found a way around it.
Now, Apple and Google,
immediately after being informed of this,
remove these apps from the App Store.
But the dynamic content problem,
I don't think there's a really easy technical solution to that.
Maybe they can issue, you know, maybe they can monitor all the apps.
Right.
But there's a lot of apps in the App Store.
Yeah, hard to keep up.
Yeah, it's hard to keep up.
That would be a large technical problem.
Yeah.
All right, well, again, this article is over on Ars Technica.
It's titled,
Pig Butchering,
Scam Apps Sneak into Apple's App Store and Google Play. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin
and senior producer Jennifer Ivan.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.