CyberWire Daily - Widespread exploitation of severe vulnerability in ownCloud.
Episode Date: November 30, 2023Reports of a Critical Vulnerability in ownCloud. Sites serving bogus McAfee virus alerts. Japan’s space agency reports a breach. Okta revises the impact of their recent breach. Cryptomixer gets take...n down in an international law enforcement operation. "SugarGh0st" RAT prospects targets in Uzbekistan and South Korea. NATO cyber exercise runs against the background of Russia's hybrid war. On today’s Threat Vector segment, David Moulton of Palo Alto Networks’ Unit 42 talks with guest John Huebner about the intricacies of managing threat intelligence feeds. And Russian DDoS’ers are looking for volunteers. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guests On today’s Threat Vector segment, David Moulton of Palo Alto Networks’ Unit 42 talks with guest John Huebner, an XSIAM Consultant at Palo Alto Networks. David and John delve into the intricacies of managing threat intelligence feeds in cybersecurity. They discuss the challenges organizations face in sifting valuable intelligence from the noise, emphasizing the importance of risk assessments in guiding the selection and tuning of these feeds. Threat Vector Please share your thoughts with us for future Threat Vector segments by taking our brief survey. To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin. T-Minus commentary on JAXA’s cyber threat. Dave is joined by T-Minus Space Daily host, Maria Varmazis, to discuss the significant cyber threat faced by Japan’s Aerospace Exploration Agency, known as JAXA. Listen to yesterday’s episode of T-Minus where they covered the incident. Selected Reading ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation (Ars Technica) Associated Press, ESPN, CBS among top sites serving fake virus alerts (Malwarebytes) VIDAR INFOSTEALER STEALS BOOKING.COM CREDENTIALS IN FRAUD SCAM (Secureworks) Japan space agency hit with cyberattack, rocket and satellite info not accessed (Reuters) Okta October breach affected 134 orgs, biz admits (The Register) October Customer Support Security Incident - Update and Recommended Actions (Okta) Okta Hack Update Shows Challenges in Rapid Cyber Disclosures (Wall Street Journal) US seizes Sinbad crypto mixer used by North Korean Lazarus hackers (Bleeping Computer) Treasury Sanctions Mixer Used by the DPRK to Launder Stolen Virtual Currency (US Department of Treasury) Crypto Country: North Korea’s Targeting of Cryptocurrency (Recorded Future) New SugarGh0st RAT targets Uzbekistan government and South Korea (Cisco Talos) Russian hackers pose ‘high’ threat level to EU, bloc’s cyber team warns (Politico) NATO Holds Cyber Defense Exercise as Wartime Hacking Threats Rise (Wall Street Journal) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reports of a critical vulnerability in own cloud.
Sites are serving a bogus McAfee virus alert.
Japan's space agency reports a breach.
Okta revises the impact of their own recent breach.
Crypto mixer gets taken down in an international law enforcement operation.
The sugar ghost rat prospects targets in Uzbekistan and South Korea.
NATO's cyber exercises run against the background of Russia's hybrid war. Thank you. It's Thursday, November 30th, 2023.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
In today's top story, security researchers are simply sending a web request to a static URL.
This vulnerability has led to attackers obtaining passwords and cryptographic keys for administrative control.
The vulnerability affects versions.2 and.3 of the Graph API app, which is part of some own cloud deployments.
The flaw was disclosed on November 21st, and within four days, security firm Gray Noise observed mass exploitation attempts on their Honeypot servers, which mimic vulnerable own cloud servers.
vulnerable own cloud servers. Additionally, the Shadow Server Foundation reports over 11,000 exposed instances, primarily in Germany, the US, France, and Russia. The exploitation involves
accessing a URL that reveals configuration details from the PHP environment, potentially exposing
sensitive data like the own cloud admin password, mail server credentials, and license
keys. Disabling the Graph API app alone is insufficient to secure servers against the
threat. Own cloud has advised users to delete a specific file within the app and disable the PHP
info function in Docker containers. They also recommend changing critical credentials
as a precaution. Moreover, OwnCloud has recently fixed two other high-severity vulnerabilities,
an authentication bypass in the WebDAV API and a subdomain validation bypass flaw.
While there are no reports of these vulnerabilities being actively exploited,
users are urged to follow the mitigation steps provided by OwnCloud.
The exposure of this vulnerability in OwnCloud and the recent security breaches in various file-sharing apps highlight the increasing risk and potential impact of such exploits on enterprise networks. Users and administrators of OwnCloud are advised
to take immediate steps to secure their systems in line with the guidance provided.
Malwarebytes warns that the ScamClub threat actor resurfaced several weeks ago following
a disruption of its operations by Confient in September. The threat actor abused ad exchanges used by legitimate sites,
including the Associated Press, ESPN, and CBS, in order to redirect users to a phony McAfee
security alert. The researchers conclude, Scam Club is resourceful and continues to have a deep impact on the ad ecosystem.
SecureWorks reports a Vidar InfoStealer campaign that compromised a hotel's Booking.com credentials.
An employee fell victim to a phishing attack,
leading to Vidar's installation and unauthorized messages sent to guests
from the hotel's Booking.com account.
Soon after, guests reported unauthorized withdrawals
from their accounts. The attackers exploited the lack of multi-factor authentication on the
hotelsbooking.com account. SecureWorks suggests this incident is part of a larger fraud campaign
targeting Booking.com customers and properties. In this scheme, customers received fake messages,
seemingly from hotel owners via Booking.com, asking for payment details confirmation.
These messages contained malicious URLs where victims entered information,
which the attackers then used for financial theft.
Reports surfaced yesterday of a cyber attack targeting JAXA, Japan's space
agency. For the details on this story, I'm joined by Maria Vermasas, host of the T-Minus podcast
right here on the N2K network. Maria, what do we know about this incident? Yeah, so thanks, Dave.
So what we found out is that JAXA, as you mentioned, Japan's space agency, they disclosed that they had an active directory breach over the summer, and it was just disclosed rather recently. And it ends up that an external source, we don't know who, tipped off the agency that some of that information had been breached. And it sounds like it was employee personal details. And now it's being followed by an internal probe.
We don't know a whole lot about the nature of the attack.
Again, aside from Active Directory was involved.
We don't know the motive.
We don't know exactly what was breached.
Again, personal information from employees seems very likely given that it was Active Directory.
And there's no attribution yet either.
So things have been a little hush-hush because an attack of this nature is not great,
understandably, but it is certainly alarming.
So there's attention being paid.
So reading between the lines here,
we are assuming that this is more on the IT side of the house
than the OT side?
That's correct, yeah.
So as much as when we talk about cybersecurity and aerospace,
people might think,
oh my gosh, satellites or rockets getting hacked. It's almost never stuff like that. Correct, yeah. So as much as when we talk about cybersecurity in aerospace, people might think,
oh my gosh, satellites or rockets getting hacked. It's almost never stuff like that. It's usually the stuff that's on the ground, and it's often IT systems, and it's a tale as old as time in
cybersecurity, right? So yes, this was Active Directory. It was not a rocket or anything that
was actually going to space. For perspective here, when we think about Japan and their place
on the global stage for space,
where do they sit? Where are they in the pecking order?
They're pretty high up, to be honest with you. They are a major collaborator with countries like
the United States, with NASA, with Europe, with India. They do a lot, and they have a lot of
major rockets of their own. They are involved in a lot of major missions and fantastic scientific and space firsts.
So yeah, they're actually pretty big.
So them being hacked,
whether it was a drive-by, so to speak,
or if it was on purpose,
is not great news.
And it is kind of scary.
Yeah, not small potatoes by any means.
Yeah.
Maria Vermasas is host of the T-Minus Space News Daily Podcast
here on the N2K network.
We will have a link to her
team's coverage of this story in our show notes. Maria, thanks for joining us. Thanks so much, Dave.
Identity and access management company Okta has significantly revised its assessment of a recent
breach. Initially, Okta reported that the breach impacted only 134 customers,
less than 1% of its total customer base. However, further investigation revealed that the breach
potentially exposed data from essentially all of its customers. Okta has not confirmed active
exploitation of this information, but warns of the possibility of phishing or social engineering attacks
targeting its customers, especially those who have used customer support.
Although the compromised information is not considered highly sensitive, the risk of its
use in phishing campaigns is a serious concern.
The Wall Street Journal highlights this incident as an example of the challenges and risks
associated with early
disclosure of data breaches and cyber attacks, underscoring the complexities faced by organizations
in managing and communicating about cybersecurity incidents.
The FBI, in collaboration with the UK's Financial Intelligence Investigation Service and Finland's National Bureau of
Investigation has seized the Sinbad Cryptomixer service, extensively used by North Korea's
Lazarus Group for laundering stolen cryptocurrency. This action aligns with sanctions imposed by the
US Treasury Department's Office of Foreign Asset Control, targeting Sinbad for processing millions from
Lazarus Group heists and other cybercrimes, including drug trafficking and darknet marketplace
activities. The sanctions block all of Sinbad's assets within the U.S. or under U.S. control
and prohibit any dealings with Sinbad by U.S. entities or individuals. Violations could lead to further
sanctions. This crackdown reflects North Korea's increasing reliance on cryptocurrency theft,
with Recorded Futures' Insikt Group reporting over $3 billion stolen since 2017,
as international sanctions cripple its economy. The Lazarus Group's state-supported operations allow it to operate on
a larger scale than typical criminal gangs, potentially inspiring other sanctioned entities
like Russia to adopt similar tactics in the cryptocurrency arena. Cisco Talos researchers
have released a report detailing cyber espionage activities targeting Uzbekistan and South Korea
using a remote access Trojan named Sugar Ghost.
This rat is considered a derivative of the well-known ghost rat.
The primary method of attack is fishing, involving bait documents specifically designed to pique the interests of the intended targets.
designed to pique the interests of the intended targets.
Two distinct infection methods were identified,
one involving the decryption and execution of the sugar ghost rat,
the other using the Dynamic Wrapper X loader to inject and run shell code that eventually leads to the execution of sugar ghost.
While attribution for these attacks remains uncertain,
the researchers tentatively suggest, with low confidence, that a Chinese-speaking threat actor could be responsible.
CERT-EU has issued a warning to the European Union about ongoing cyber attacks by Russia's GRU, specifically by the threat actor APT-28, also known as Fancy Bear.
by the threat actor APT28, also known as Fancy Bear.
According to Politico, at least seven EU governments are currently targeted by these campaigns,
primarily through phishing tactics.
The attackers are using a variety of decoy documents as bait,
including falsified meeting minutes
from a European Parliament subcommittee
and a report from a United Nations special committee.
The suspected
long-term objective behind these efforts is to gather intelligence related to the upcoming EU
elections next year and potentially to exert influence over these elections.
NATO is conducting a cyber exercise amidst the backdrop of Russia's ongoing hybrid war.
This exercise aims to bolster NATO's
readiness and response capabilities in the cyber domain, a critical area of modern warfare where
digital attacks can complement conventional military strategies. It reflects an acknowledgement
of the heightened cyber threats in the current geopolitical landscape, particularly with Russia's
active engagement in hybrid warfare tactics that blend traditional military force with cyber operations. This
exercise is a strategic step to enhance NATO's collective cyber defense and resilience
against such multifaceted threats.
On today's Threat Vector segment,
David Moulton of Palo Alto Networks Unit 42 speaks with guest John Huebner, also from Palo Alto Networks.
They delve into the intricacies of managing threat intelligence feeds in cybersecurity. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io. Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence insights,
new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat
intelligence experts,
incident responders, and proactive security consultants
dedicated to safeguarding our digital world.
I'm your host, David Moulton,
Director of Thought Leadership for Unit 42.
In today's episode, I'm going to speak with John Huebner, an ex-IM consultant for our Cortex team, about finding the needle in the haystack when it comes to threat intelligence
feeds.
John has worked in the healthcare and government sectors and is a Navy veteran who transitioned
his experience with physical security, anti-terrorism, and leadership into the cybersecurity industry. Let's get right into it.
John, thanks for joining me today on Threat Vector. I wanted to talk to you about threat
intelligence. First, how can organizations effectively differentiate between valuable
threat intelligence feeds and the noise that often accompanies those feeds and makes it hard to find that proverbial needle in a haystack.
So the companies just sign up for all these free fees and it really damages their threat intelligence
and it puts more work on the analysts and also creates automations that are not that great,
which is a huge part in the cyber industry right now.
So finding that valuable intelligence feed is so important.
Companies need to start looking at where they are.
What are they and what do they do?
They need to take their risk assessments, which not that many people do.
And then they need to take that risk assessment team and have them communicate with the threat
analysts and tell them, hey, we have companies that are located in this country and these might be our current threats.
And this is going to be something that's constantly changing. It's not just
companies and national threats and hackers. You're also looking at
what types of servers are going to attack you, where you're most vulnerable,
and you need to assess the risk. Because there's always going to be risk.
You can only mitigate risk and you need to leverage the risk because there's always going to be risk. You can only mitigate risk.
And you need to leverage the intelligence that you have from that. And there's going to be some feeds that focus more on some things than others.
And some of these free feeds will also not be as good.
You're going to get more false positives, but some free feeds may do better for some companies.
So going back to the question, you really got to work with your risk assessment
and figure out how you can leverage that and find the right intelligence.
So talk about what strategies can be employed to clean up that signal to noise ratio and the intelligence feeds.
So a lot of companies have all these free feeds coming in and it's just mass and massive information.
all these free feeds coming in.
And it's just mass and massive information.
And usually when you're ingesting these feeds,
you can put a reputation on how trustworthy that verdict will be.
Companies need to start working with this.
And there's a lot of threat sharing platforms
out there now, like MISP.
You have a lot of states doing an interstate MISP
where one state shares all their information
and IOCs with another state. But some of those aren't
going to be valuable. So companies need to go back to those risk assessments
that I was just mentioning and really prioritize
where it is. And sometimes you may just need to find
one feed, one paid good feed, and go with that and then
start basically tuning it from there.
Threat intelligence is not just ingesting all this data
and saying, oh, here's this data, have fun, good luck.
It's more of pulling that data in, tuning it,
kind of just like a SIM or some of your other security products.
So you need a very active threat intelligence team on there.
And you really need to start from the beginning too with,
hey, this is our plan, we want to do X, Y, Z, and do team on there. And you really need to start from the beginning too with, hey, this is our plan.
We want to do X, Y, Z and do it from there.
So that would really help clean up
a lot of the mess that we're seeing right now.
John, talk to me about the risks you've seen
from neglecting expired feeds
or not tuning intelligence feeds.
So some of these companies are having these indicators ingested with no expiration.
IPs change, domains change, all these IOCs are changing.
And some of these domains can change in less than 24 hours.
Some of these IPs are also changing in a couple days probably, sometimes even hours as well.
are also changing in a couple days, probably, sometimes even hours as well.
And if you don't ever expire these indicators,
they could be on your whitelist, they could be in your blacklist.
Either way, it could just not end well for you because sometimes Microsoft will end up on that blacklist.
And if you're running a cloud instance of O365,
you're going to start running into trouble
and blocking some things that you don't want to block.
And even worse, if it's on that whitelist, it might be a very bad day and you're
leaving a wide open hole in your organization's security. So think about the context of threat
intelligence. What are some of the best practices you see for identifying and prioritizing actionable
feeds and indicators? You've got to really hash out
how you want to move forward,
where you want to focus your intelligence,
what you want your intelligence to be,
and what your main use cases are going to be,
along with having a very good threat intelligence team
that tunes and treats it as their baby
so they can give you a good product
and also communicate well
with the other parts of the organization.
John, thanks for taking the time to talk to me about your approaches to optimizing and tuning your threat intel.
Like most things, the one and done approach doesn't work.
It really sounds more like gardening, where you have to tend to the feeds with constant evaluation and make the
effort to weed out any problems. Sometimes it sounds like it's best to just start fresh.
If you're looking for well-curated threat intel and threat actor insights, you should check out
the Unit 42 Threat Research Center. And remember, if you think that you're under attack,
contact the experts at Unit 42 to help assess your risk and exposure.
We'll be back on the Cyber Wire daily in two weeks.
Until then, stay secure, stay vigilant.
Goodbye for now.
That's David Moulton and John Huebner, both from Palo Alto Networks.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Breaking news happens anywhere, anytime. Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on
and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
And finally, the Russian hacktivist group
No Name 05716 is on a recruiting spree
for its Volunteer Di Dossier project,
as proclaimed on their Telegram channel.
They're casting a net to enlist cyber warriors
in what they describe as a cyber war initiated by the West against Russia.
Australian Cybersecurity Magazine reports
that these digital soldiers will be compensated in cryptocurrency
and can earn ranks and merit awards, mimicking a real military structure.
The source of their funding remains murky, though criminal proceeds are a likely suspect.
DDoSia, as the name hints, focuses on distributed denial-of-service attacks. The allure of ranks and accolades suggests No Name 05716 is targeting military
enthusiasts and perhaps those whose ambitions outpaced their life achievements. It seems in
the world of hacktivism, even keyboard warriors can dream of being decorated heroes.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
A quick programming note. As we near the end of the year, it's the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry, we'd love
to help you achieve those goals. We've got some unique end-of-year opportunities complete with
special incentives to launch 2024, so tell your marketing team to reach out. Send us a message to
sales at thecyberwire.com or visit our website so we can connect about building a program to meet your goals.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily
intelligence routine of many of the most influential leaders and operators in the public and private
sector, as well as the critical security teams supporting the Fortune 500 and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Carr.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.