CyberWire Daily - Watering holes, from Kiev to Canada. File transfer blues. What’s up in the criminal-to-criminal market. And an update on the old Facebook breach.
Episode Date: April 6, 2021A watering hole campaign compromised several Ukrainian sites (and one Canadian one). File transfer blues. A couple of looks into the criminal-to-criminal marketplace: establishing a brand and selling ...malicious document building tools. Ben Yelin has details on a privacy suit against Intel. Our guest is Steve Ginty from RiskIQ on the threat actors behind LogoKit. And notes on the big and apparently old Facebook breach, including why people care about it. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/65 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A watering hole campaign compromised several Ukrainian sites and one Canadian one.
File transfer blues.
A couple of looks into the criminal-to-criminal marketplace.
Ben Yellen has details on a privacy suit against Intel.
Our guest is Steve Ginty from Risk IQ on the threat actors behind Logo Kit.
And notes on the big and apparently old Facebook breach, including why people care about it.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 6th, 2021.
Lumen Technologies' Black Lotus Labs this morning announced their discovery of a watering hole campaign that compromised a number of Ukrainian websites and at least one Canadian site.
The campaign affected a range of sectors,
including manufacturing, oil, media, sport, and investment banking. The unidentified attackers
used malicious JavaScript on the sites to induce victims to send their NTLM hashes
to an attacker-controlled server via Server Message Block Protocol, that's SMB. The technique is similar, Black Lotus Labs
noted, to one used in the compromise of the San Francisco International Airport's website in 2020.
Manage Engine described the SFO incident last April. The Accelion FTA compromise continues to
victims, many of them universities, and MSSP Alert has a rundown
of the current state of that incident. FTA, however, isn't the only file transfer application
to undergo exploitation. Avanon reports that a phishing campaign has been active, in some cases
successfully, against users of WeTransfer, another popular file transfer app. The attackers are phishing, as one might expect for user credentials,
and their phish bait is a bogus message telling recipients,
you have received some files.
Sophos researchers have discerned a connection between the Mount Locker ransomware group
and a new gang, the Astro Locker team, the latter a relative newbie in the criminal space. The precise
nature of the connection remains to be determined, but it may be an underworld branding exercise,
with Mount Locker using the new group to give it the requisite cachet to become a player
in the ransomware-as-a-service sector. Having a big affiliate or apparent affiliate can do that for a gang.
If Mount Locker can claim a biggish-appearing gang as a customer,
so much the better for its street cred, and presumably for its sales.
Elsewhere in the underworld's criminal-to-criminal markets,
Intel 471 is observing Eter Silent,
a tool for building malicious documents that's achieving significant market share.
EterSilent, first available on Russophone hacking forums, typically creates a bogus DocuSign template.
It's been used to spread TrickBot, the Bazaar Loader, and three banking trojans, BokBot, Gozi ISFB, and Qbot. Those last three also use bulletproof hosting services from Yalishanda,
one of the world's most notorious BPH providers, Intel 471 writes.
As is often the case with fish bait,
this one is more visually convincing than it is linguistically credible.
While not the laugh-a-minute low-level we used to see from the shadow brokers, it's still got a whiff of Hollywood heckowy idiom. Why can I not open this document,
it asks, for example, then offers two suggested answers. You are using iOS or Android. Please use
desktop PC. Or you are trying to view this document using online viewer. Well, what's a viewer for?
In any case, the goal is to get the hasty, the curious, and the unwary to click.
That big and old Facebook breach remains in the news.
Business News points out that Mr. Zuckerberg himself was among the 533 million users affected.
Among the Facebook founder's compromised data were his name, birthdate, location, marriage details,
Facebook user ID, and the fact that he was a Signal user.
Ireland's Data Protection Commission, whom the EU has stuck with the thankless task of supervising whatever it is that the Americans are up to, has, according to the BBC,
opened an investigation into the incident. The Commission is looking into whether the data
recently made freely available on a site catering to low-end skids are in fact identical to those
compromised in 2019. The timing is important for GDPR enforcement. An early leak would have occurred before the EU's privacy regime was fully in effect.
So far, the Commission says it seems as if indeed the data are from the older leak,
as Facebook has said, but the investigation is still young.
Observers find the leak, old as it may be, troubling for several reasons.
First, much of the data is of the sort that's unlikely to change.
Second, as Vice sourly observes, Facebook doesn't appear to have been particularly diligent about
notifying its affected users back in 2019 when the company detected and fixed the breach.
That also shows, The Washington Post's Cyber 202 thinks, the limitations of current data breach disclosure rules.
Third, SC Magazine sees the incident as illustrating the problems that any business model
dependent on collecting and selling user data will present.
And finally, the data is now readily available to be used by a range of operators
one might not particularly wish to meet online or in real life,
whom Witfu's Charles Herring characterizes for SC as telemarketers, sales personnel,
debt collectors, stalkers, conmen, and the rest of the world. Some of our best friends are
sales personnel, but our editorial desk doesn't like the sound of that rest of the world. isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Researchers and security firm Risk IQ recently published results from their investigation
into a phishing toolkit called Logo Kit, popular for its ease of use and success rate.
Steve Ginty is Director of Threat Intelligence at RiskIQ.
LogoKit is a phish kit.
It's basically a tool that allows people to programmatically generate phishing websites and phishing emails
to enable them to do credential harvesting at a large scale.
So it's very flexible and easy to use,
and therefore it's approachable to any level of malicious actor
to spin up a site that looks like maybe your Gmail account
or a bank account login page or what have you
to very quickly harvest your credentials
and then go use that for
nefarious purposes.
Now, one of the things you dig into here is the business side of this operation.
Can you share some of those details with us?
Yeah.
So as we were investigating the kit itself, kits are used by a broad swath of actors and
therefore you can't kind of lump them all together.
But what we found was some information that led us to the people who developed
and were selling the kit itself.
And so as the team was doing their investigation,
they found some unique strings inside of the URLs that were being sent to phish individuals.
And that string led us to an open directory that allowed us to actually get a version of the kit, download it, and analyze it.
And inside of that code, there was an email address that started this journey for us into the actors behind LogoKit.
And it was specifically, they were using this FUD term consistently, which stands for fully undetected.
And as you start to pull that string and you see in the report, they have a lot of presence on social media.
They were actively kind of pushing their wares.
They had a bunch of websites that followed that same FUD kind of string.
FUD kind of string. And so we were very quickly able to kind of find this very large ecosystem of actors or of a group selling this tool and other services. And so LogoKit, the tool itself,
is one piece, but the group that is selling LogoKit sells kind of services to individuals
that may leverage the kit, such as hosting, bulletproof hosting, so that they can conduct their campaign and other tools and services.
Do you have any sense for the scale of the operation itself or how successful these folks are?
From a monetary standpoint, we haven't gone down the road of investigating how successful they are from monetizing directly.
But if we look at the timeline that we've been able to put together,
the individuals behind LogoKit have been active since
2015. So there has to be some level of success.
They've been moving infrastructure every year or so.
We're still able to track them.
They focus in on tax schemes and SMS phishing and all sorts of different operations.
And so it appears that the active group has been successful based on the fact that they've
been operating for six years.
That's Steve Ginty from Risk IQ.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story about a lawsuit against Intel.
And this is a lawsuit that was filed in February
and made its way from a Florida state court
and has shifted to a federal district court.
And evidently,
plaintiff Juan Holly Launders has claimed that she visited Intel's website in the year prior
to January of 2021. And during those visits on the website, Intel had tracking, recording,
and other session replay software to intercept her use and interaction with the website,
session replay software to intercept her use and interaction with the website, including mouse clicks and movements. And this lawsuit is being brought saying that this violates wiretapping
statutes. What's going on here, Ben? Sure. So we've seen a number of these cases pop up in
both state courts and federal courts across the country. We've seen cases based in California,
New York, and now Florida.
What's interesting about these cases is they are all causes of action
brought under different state laws related to secure communications
or the privacy of one's own software or devices.
So it's not technically illegal in any of these states to do what Intel is doing here, which is temporarily intercepting some information, mouse clicks, movements, etc.
Session replay software per se is not prohibited.
It often comes down to this question of consent.
The Florida law, which is the 2020 Florida Security of Communications Act, makes it a crime to intentionally intercept another person's electronic communications without prior consent.
So, so much of the outcome of this case is going to hinge on whether this plaintiff had informed consent.
Informed consent in these types of cases is very difficult to adjudicate.
You know, if you put something in tiny typing
at the bottom of the screen that nobody would ever see,
are you actually, you know,
is that actually enforceable consent?
You know, most of the time it is.
But if lawyers are able to properly allege
that there wasn't an opportunity
for this plaintiff, Ms. Landers,
to understand how, you know, this session replay software was working,
how frequently it was deployed,
and the risks of the use of this software on the privacy of her information.
And that would seem to be a violation of this Florida Security of Communications Act statute.
And that's why at least the analysts cited in this article
think that this Florida case has a better chance of proceeding than some of the other cases we've
seen on this topic across the country. Because the law in question, the law under which this
cause of action has been brought, is more robust than other laws we've seen across the country.
That's interesting. I mean, I have to admit that I tend to raise my eyebrows whenever I see someone calling on a wiretapping law,
because my sense certainly from things I've seen here in my home state of Maryland is that
wiretapping laws are often sort of brought in to come at people for things that perhaps the
wiretapping laws were never intended for.
You know, whereas the wiretapping laws, in my mind, tend to be a relic of an earlier time
when we were all communicating on landlines.
Right. We were literally tapping the wires.
Right, exactly, exactly. And it's not that anymore.
So, you know, for example, you and I both live in Maryland,
which is a two-party consent state, which means if you record something, you have to have permission from all parties involved.
And I suspect that's what they're getting at here in Florida.
But I don't know.
I guess, you know, wasn't she a guest on Intel's site?
Right?
Yeah.
Yeah, she was.
But that doesn't defray the importance of informed consent.
Now, there's no guarantee that in court or in a motion to dismiss,
Intel and their army of probably extremely accomplished lawyers
can argue that there actually was informed consent.
I mean, they did have a kind of standard warning that comes with this
script that says, you know, we're using a session recorder, tracks, user, mouse movement, clicks,
taps, scrolls, or even network activity. So, you know, there's something there. But, you know,
whether that satisfies the requirements of the statute, I think is in question.
Whether that satisfies the requirements of this statute, I think, is in question.
Right, right.
So it could be, for example, if Intel had had the first thing that you saw when you went to this website was an opt-in.
Yes, you have to click agree, yep.
Yeah, then they'd probably be off the hook.
And that might be the end result of this case. I mean, I think first Intel will try and succeed on a motion to dismiss.
think first Intel will try and succeed on a motion to dismiss.
If they do not, they might be interested in settling, saying,
all right, if we're going to use this script, we will agree to have some sort of opt-in parameter.
So it's not something being sprung onto the consumer without their consent.
Right, which I suspect in that case they would probably just do away with it because how many people are, just the friction that that opt-in would create.
Right, I mean, certainly they're trying to avoid that outcome.
Yeah, yeah, yeah, interesting.
All right, well, we'll keep an eye on this one, see how it plays out.
Ben Yellen, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
We give you lots of reasons to love us. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Thank you.