CyberWire Daily - U.S. tightens the cybersecurity belt.
Episode Date: June 21, 2024Biden bans Kaspersky over security concerns. Accenture says reports of them being breached are greatly exaggerated. SneakyChef targets diplomats in Africa, the Middle East, Europe and Asia. A serious ...firmware flaw affects Intel CPUs. More headaches for car dealerships relying on CDK Global. CISA Alerts Over 100,000 Individuals of Potential Data Breach in Chemical Security Tool Hack. SquidLoader targets Chinese organizations through phishing. A new nonprofit aims to establish certification standards in maritime cybersecurity. A sneak peek of our latest podcast, Only Malware in the Building. Using the court system for customer support. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Selena Larson, joined by Dave Bittner and Rick Howard, hosts the new podcast "Only Malware in the Building." This monthly collaboration between N2K CyberWire and Proofpoint delves into the most impactful and intriguing malware stories. Selena makes complex cybersecurity info fun and digestible, offering tech professionals clear, actionable insights. Selected Reading Biden bans US sales of Kaspersky software over Russia ties (Reuters) Exclusive: Accenture says data leak claims false, only 3 affected (Cyber Daily) Chinese-aligned hacking group targeted more than a dozen government agencies, researchers find (CyberScoop) Intel-powered computers affected by serious firmware flaw (CVE-2024-0762) (Help Net Security) CDK warns: threat actors are calling customers, posing as support (bleepingcomputer) Personal and Chemical Facility Information Potentially Accessed in CISA Hack (SecurityWeek) New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document (gbhackers) New body IMCSO to elevate standards and streamline provisioning of cybersecurity services in Maritime (itsecurityguru) US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region (Industrial Cyber) How small claims court became Meta's customer service hotline (engadget). The curious case of the missing IcedID (Only Malware in the Building) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Biden bans Kaspersky over security concerns.
Accenture says reports of them being breached are greatly exaggerated.
Sneaky Chef targets diplomats in Africa, the Middle East, Europe, and Asia.
A serious firmware flaw affects Intel CPUs.
More headaches for car dealerships relying on CDK Global.
CISA alerts over 100,000 individuals of potential data breach
in a chemical security tool hack.
Squid Loader targets Chinese organizations through phishing.
A new nonprofit aims to establish certification standards in maritime cybersecurity, a sneak peek of our latest podcast, Only Malware in the Building, and
using the court system for customer support.
It's Friday, June 21st, 2024.
I'm Dave Bittner, and this you for joining us.
It is great, as always, to have you here with us.
The Biden administration announced plans to ban the sale of Kaspersky Labs antivirus software in the U.S.
due to security concerns over Russia's influence on the company, Reuters reports.
Commerce Secretary Gina Raimondo emphasized
that Russia could exploit Kaspersky to steal sensitive data or install malware,
especially given the software's deep access to computer systems. Kaspersky's clientele
includes critical infrastructure providers and local governments, raising further alarm.
Kaspersky claims the decision is politically motivated
and intends to explore legal options.
The Russian embassy did not comment,
and Kaspersky maintains it is privately managed without government ties.
The new rule will take effect on September 29th,
blocking new sales, downloads, and updates of Kaspersky software in the U.S.
Additionally, three Kaspersky units will be added to a trade restriction list,
complicating its international operations.
This move aims to eliminate risks of Russian cyberattacks
and continues the pressure on Moscow amid the ongoing conflict in Ukraine.
Senator Mark Warner supports the ban,
arguing it's unsafe to allow
Russian software access to American systems. The new restrictions also prohibit the sale of
white-labeled products containing Kaspersky software. Sellers and resellers violating
these rules will face penalties. However, software users will not be penalized but will be encouraged to switch to
alternatives. In a follow-up to yesterday's report, Accenture has addressed the claims made by
Breach Forum's user 888, who alleged possession of data on just under 33,000 current and former
employees. According to Accenture, their analysis of the published
dataset revealed only three employee names and email addresses, with no additional information
linked to the company. Accenture reported no indications of system compromise, but stated
that investigations are ongoing. This response comes amid concerns raised by 888, a known leaker responsible for multiple
high-profile cyber attacks. A Chinese-speaking cyber espionage group Sneaky Chef has targeted
the ministries of foreign affairs and embassies in at least nine countries across Africa,
the Middle East, Europe, and Asia, according to Cisco Talos researchers.
Using non-public government documents as lures, the group aimed at Angola, Turkmenistan,
Kazakhstan, India, Saudi Arabia, South Korea, Uzbekistan, the U.S., and Latvia.
Sneaky Chef employs the Sugar Ghost remote access tool and a new Trojan, Spice Rat, to conduct their operations.
These findings indicate a rapidly evolving and aggressive hacking campaign targeting key geopolitical hotspots. There's currently no conclusive evidence linking the group to a
specific government agency, although some activity aligns with Chinese state-sponsored groups.
although some activity aligns with Chinese state-sponsored groups.
A firmware vulnerability in Phoenix Secure Core UEFI affecting various Intel processors allows local privilege escalation and arbitrary code execution within the firmware.
This flaw, linked to an unsafe get variable UEFI service call could lead to a stack buffer overflow.
Discovered on Lenovo ThinkPad laptops,
it affects multiple Intel processor families.
Phoenix and Lenovo have issued updates.
While no exploitation in the wild is reported,
users should check for firmware updates.
Following up on this week's reports of car dealerships in the U.S.
being unable to serve their customers due to cyberattacks targeting
SaaS platform provider CDK Global,
the company has issued a new warning to customers about scammers posing as CDK agents
to gain unauthorized system access.
This caution comes after two cyber attacks on June 18th
and 19th forced the company to shut down its customer support channels and take most of its
systems offline. In response, CDK set up toll-free lines for status updates but warns customers to
avoid communications with anyone claiming to be a CDK representative seeking system access.
Customers should not perform DMS tasks and stay alert for phishing attempts.
CDK has no estimated resolution timeframe yet, but assures that digital retail application data is secure.
CISA has notified participants of the Chemical Facility Anti-Terrorism Standards
Program about a data breach involving the Chemical Security Assessment Tool hacked in January 2024.
Attackers exploited an Ivanti Connect Secure Appliance zero-day vulnerability. The breach
potentially affects over 100,000 individuals with compromised
data possibly including personal information, security assessments, and site security plans.
Although no data exfiltration was confirmed, CISA advises impacted individuals to reset passwords.
Facilities are requested to notify affected people or provide contact information to CISA.
The breach, considered a major incident under FISMA, exposed sensitive information related to chemical security.
Researchers have discovered a new malware loader, SquidLoader, targeting Chinese organizations through phishing emails.
targeting Chinese organizations through phishing emails.
Disguised as a Word document, it employs advanced evasion techniques to avoid detection,
such as obfuscation and using expired or self-signed certificates.
Squid Loader downloads a malicious payload, often Cobalt Strike, via HTTPS, which achieves persistence on the victim's machine.
The loader's sophisticated methods include encrypted code sections,
dynamic API resolution, and complex control flow obfuscation,
making it challenging for security analysts to detect and analyze.
The newly announced International Maritime Cybersecurity Standards Organization,
IMCSO, a non-profit supported by industry,
aims to solve several key issues in maritime cybersecurity. Currently, ship captains lack
the time to assist cyber auditors, and the variety of assessment methodologies creates
unnecessary complexity, overheads, and delays in providing risk and technical audit results
to port authorities and insurers. This inconsistency leads to confusion and inefficiency
in evaluating and managing cyber risks. IMCSO seeks to address these problems by standardizing
cybersecurity assessments and certifications, ensuring that evaluations are conducted uniformly,
safely, and effectively. This will streamline the risk assessment process, making it easier
for stakeholders to understand a vessel's cyber risk and provide a reliable registry of certified
cybersecurity suppliers and professionals. Ultimately, IMCSO aims to improve the overall resilience and compliance
of the maritime sector to cyber threats. Speaking of the maritime sector, the U.S.
Department of Homeland Security is enhancing maritime cybersecurity in the Indo-Pacific region
by partnering with Indonesia under initiatives from the U.S. Department of State and the Department
of Defense.
This agreement, part of the Comprehensive Strategic Partnership, aims to protect maritime critical infrastructure and improve the resilience of the international maritime transportation
system. DHS and Indonesian authorities conducted a cybersecurity tabletop exercise and workshop
to strengthen incident response capabilities.
This collaboration emphasizes information sharing, operational coordination,
and joint efforts to counter cyber threats, ensuring the safety and security of global maritime activities.
Coming up after the break, a sneak peek of our latest podcast, Only Malware in the Building.
Stick around. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. We are pleased as punch to have premiered a new podcast titled Only Malware in the Building.
The show features yours truly, our own Rick Howard and Selena Larson from Proofpoint.
Here's a preview of the show.
Today, we're talking about the curious case of the missing ICE-ID. ICE-ID is a malware
originally classified as a banking trojan and first observed in 2017. It also acts as a loader
for other malware, including ransomware,
and was a favored payload used by multiple cyber criminal threat actors until the fall of 2023.
Then it all but disappeared. In its place, a new threat crawled, Latrodectus. Named after a spider,
this new malware, created by the same people as Ice ID ID is now poised to take over where Iced ID melted off.
I'm a little bit grossed out about all this.
The first Iced ID NRT that you mentioned at the top of the show,
does that mean there's a spider in the cup also?
Oh my God.
No, but I highly recommend not Googling this malware name,
especially if you have a fear of spiders like I do.
I'm sorry.
I'm sorry.
I was just enjoying a delicious dip.
Selena, I want to apologize
that Rick and I were both late to this recording session.
We were waiting for Rick's dial-up to connect.
I just upgraded my modem, Dave,
so I don't want to hear any crap about how slow I am on this particular episode.
Sure. Okay. Absolutely.
Guys, guys, guys, we have to be cool.
Think about our audience.
Well, let's start out, I mean, talking about Iced ID.
So what is Iced ID,
and how did it originally emerge into the cybersecurity landscape?
Iced ID has been around.
Like I mentioned, it was initially classified as banking malware.
It was first observed in 2017.
It was really part of that banking Trojan family. There was this era of cybercrime where you had things like Ersnip,
Ice.id, Drydex all came on scene that were classified as banking malware. They were going
after banking credentials, real money. And then it started acting as a loader for other malware,
including ransomware. It was used by multiple as a loader for other malware, including ransomware.
It was used by multiple prominent initial access brokers. So essentially those threat actors that
are trying to gain access to compromise a system and then deliver ransomware. Emotech, for example,
was seen delivering ICE ID. Can I just pause and say that the reason I love cybersecurity is that
all the cool names that we come up with to describe all this stuff.
I mean, you rattled off of maybe nine different malware names, right, that is on the tip of the tongue of everybody.
And that's the reason I'm here.
Okay, Selena.
You know what?
I feel like it has gone slightly overboard, though.
You know, it's hard to keep them all in my head.
There's just so many and the names are so chaotic.
Yeah, I wish there was one organization that could take responsibility for being the defining name
because every malware actor has half a dozen different names.
And very often it is my job to say them all and keep them straight.
Which is not easy.
Well, even IceID was aka Bokbot in the early days.
So there's, even malware has multiple names
for the same type of malware.
It's, yeah, you have to keep them straight.
Sounds like a robot chicken.
Yeah.
What I love about it though is, you know,
we have malware names and we have hacker names.
We have hacker group names. And sometimes, we have malware names, and we have hacker names, we have hacker group names,
and sometimes they're
the same names, right? And then
it's like, talk about getting confused,
okay? I have no idea what we're talking about most
of the time. Oh, Rick.
Rick, you
don't give yourself enough credit. You know,
Selena, I think that it is safe to say
that Rick is a security genius.
Not particularly true, but safe.
Hey, I am in the presence of greatness right now.
Oh, stop.
Go on.
Go on.
Please, please tell me more.
Tell me more.
Only if you'll share your dips, Dave.
Okay.
No, I'm sorry.
It's not enough.
Well, you obviously haven't read my contract.
There'll be no sharing of the dips.
So, all right.
So we've talked about Iced ID.
So what happened to Iced ID?
How, like, do we understand the circumstances
of how it just fell off the radar?
That's a very good question.
So it was pretty prominent. And back in early 2023, we actually saw a new variant of IceID called IceID Lite kind of remove some of the functionality of the initial type of malware. So we thought that continuing development, going all in on this type of malware.
And then in the fall, it really just sort of stopped appearing in campaign data.
We were asking ourselves at Proofpoint, you know, fellow researchers being like,
hey, you know, what's going on?
Because the actors that use ICID, these initial access brokers, they're still active.
on because the actors that use ice id these initial access brokers they're still active and it coincided the fall of ice id sort of coincided with in november 2023 this you know new malware
that kind of came on the scene and initially people thought it was another new variant of ice
id but great this is this is this is interesting but it turned out to be something completely
different it was latrodectus but suspected to be developed by the same folks who created IceCity.
So this top dog of initial access malware that had been used for so long just sort of disappeared.
And in its place rose Latrodectus.
Did Latrodectus have some sort of significant upgrade to it that caused him to abandon the other one?
Or, I mean, it seems weird that we just take something that was working and go to something different.
Great question.
Not really.
And actually, if you ask my colleague, Pim Cherbak, who did all of the malware reversing on Latrodectus, he thinks it's a little basic.
He's not very impressed.
Wow.
With this particular malware. He would
like the threat actors to try a little
bit harder. Oh, don't
say that.
To make things more
fun for him. Yeah, let's taunt them,
Selina. That would be great for all of us.
You're right. You're right. I know.
So Lactodectus is the version
of me dialing up to the internet with my modem?
Is that what you're telling me?
I don't know if it's quite that
because it's still a payload
that's used by initial access brokers, right?
Like we're still seeing it being used by threat actors,
although not as much as Ice ID,
which is kind of interesting.
You know, Ice ID was really up there
like with Qubot, right?
Like you had these sort of, you know,
frequent, highly regarded malwares, highly used malwares that typically led to ransomware.
I mean, Ice ID we saw throughout its lifecycle leading to May.
Soto Nokibi O'Gregor, the Deeper report, just published a couple of posts recently about it going to Nokoyawa, Dragon Locker ransomware.
So it was really kind of a key component in many, many ransomware attacks.
So it was kind of interesting that it you know, it just sort of like fell off the landscape.
And Platyredectus came back.
We only see it with a couple of our threat actors, but it's still like, you know,
you're still trying to figure out like what comes next.
Ice ID was so prominent and then it just kind of disappeared.
And now we're all kind of seeing like, okay, what's going on?
So what's the main takeaway here, Selena? I mean, is there common protections for
Latrodectus or does it mean something specific if you see that kind of thing in your environment?
So I would say that with BlattroDectus in particular,
I have to say the community has really come together to do a lot of really great research
into this particular malware.
Proofpoint actually published a blog
in collaboration with Team Cromery
looking at this particular malware and its infrastructure.
And that was pretty interesting to see a lot of,
you know, some of the overlap
with historic ICID operations. But, you know, some of the overlap with historic ICE-ID operations.
But, you know, when there is something like an initial access type of malware that is
identified, that's always something that should be sort of like a high priority, you know,
investigation.
Like, as we've seen historically, certainly with ICE-ID, things like Qbot, the access
to ultimate ransomware delivery, the relationship is there.
And I think the Defer report recently came out with an example of an Ice ID infection with the time to ransomware being 29 days.
You know, it's the whole cycle and the activity is there.
There's going to be likely, especially if we're talking about initial access brokers, there's going to be the initial malware delivery.
There's going to be data exfiltration.
There's going to be, you know, the initial malware delivery, there's going to be data exfiltration, there's going to be lateral movement. They're going to try and, you know, spread themselves as much as they can before actually leading to ultimate encryption.
So yeah, I mean, I think the jury's still out on like, what does Latrodectus mean? But it's a
great example of the continued experimentation of initial access brokers, the continued use of new tools, new resources, trying to adopt new techniques to see what works best.
And they're always out there trying to compromise computers and make as much money as possible.
Well, Selena, thank you for sharing all of this information with us.
We are excited to be part of Only Malware in the building.
Rick and I, we do have to run.
We are meeting up later today to play an exciting game of Pong together.
I believe I'm ahead, Dave. I believe I'm ahead.
Well, right. But before we we do we both need a nap
so uh thanks so much and uh we will see you here next month thanks you guys I'm very much
looking forward to it and thanks to you all our listeners for tuning in to only malware in the
building listeners for tuning in to Only Malware in the Building.
Be sure to subscribe to Only Malware in the Building wherever
you get your favorite podcasts. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And finally, Ray Pelena took drastic measures last month,
flying from New Jersey to California to confront
Meta in San Mateo's small claims court. After eight months and $700 in travel expenses,
he managed to reclaim his hacked Facebook account, something Meta's customer support
utterly failed to assist with. Pelena's story is part of a growing trend of frustrated Meta users turning
to small claims court. Engadget found out that out of five people who sued Meta in small claims,
three successfully regained their accounts. Some even received financial compensation.
Why the courtroom drama? Meta's customer support is virtually non-existent. Their help pages send
users on a wild goose chase through automated tools and dead-end links. It's enough to drive
anyone mad. Valerie Garza, a massage business owner, faced similar exasperation. After her
business's Instagram was hacked, Meta's absence led her to court, where she won $7,268.65 in damages.
Meta didn't even show up to the hearing. Their legal team tried to overturn the verdict,
but Garza stood her ground and prevailed. For those without a financial stake like Polena,
the frustration is still real. His hacked account was being used for scam listings,
damaging his reputation. Small Claims Court became his last resort to get Meta's attention and secure
his profile. Despite the hurdles, Small Claims Court offers a beacon of hope for those exhausted
by Meta's non-existent support. Filing fees are low, and the process doesn't require legal expertise,
making it accessible for many. Users like Polena and Garza show that sometimes
you have to take matters into your own hands to get results from the tech giant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Carrie Schaefer-Page from Arctic Wolf.
We're discovering their work, Lost in the Fog,
a new ransomware threat.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders
and operators in the public and private sector, from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to
optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, Thank you.