By the CyberWire staff
At a glance.
- Risks and reports.
- Threat actor activity.
- Vulnerabilities affect Zendesk Explore.
- Vulnerabilities in Amazon RDS may expose PII.
- CISA releases Stakeholder Specific Vulnerability Categorization (SSVC).
- A study of the language of fraud.
- Australian Federal Police say they know who hacked Medibank.
- Software supply chain risk.
- Difficulties with Twitter's SMS 2FA system.
- PCI Security Standards Council issues new mobile payment standard.
Risks and reports.
A report from Moody’s says that the cryptocurrency ecosystem’s vulnerability to cyberattacks is restricting the sector’s growth. Moody’s says this trend was most recently highlighted by the hacks sustained by FTX shortly after the exchange filed for Chapter 11 bankruptcy last week. Moody’s explains that applications built on the blockchain rely on a “tangle of technologies” that opens them up to attacks. The researchers note that more attacks are now targeting decentralized finance (DeFi) companies compared to centralized finance (CeFi).
The recent collapse, bankruptcy, and compromise of the FTX cryptoexchange bring many of these vulnerabilities into relief. CoinDesk describes a hack sustained by FTX several hours after the exchange filed for bankruptcy. Unknown hackers stole more than $600 million from FTX crypto wallets. WIRED outlines the efforts industry and law enforcement are taking to track the stolen funds. For more on crypto and blockchain issues, see CyberWire Pro.
Moody's Monday morning published a look at cyber risk across various sectors. While most sectors are seeing trends toward decentralization, more remote access, and, of course, further digitization of their operations, not all are equally exposed. "Critical infrastructure sectors like electric, water and other utilities have the highest risk exposure and a growing reliance on digitization but make up only a small share, about 3.5%, of overall rated debt." That risk doesn't mean these sectors are relatively poorly protected, but rather that the consequences of a successful attack could be severe and widespread.
The report concludes, "As of now, the sectors facing the lowest threat exposure happen to be the least digitized: coal mining, construction, oilfield services, and paper and forest products. And as organizations in recent years have accelerated their move to digitized processes, information, systems and networks, that transformation potentially leaves a door open for opportunistic hackers."
Free Whitepaper | 10 Ways Asset Visibility Builds the Foundation for OT Cybersecurity
Asset visibility is at the foundation of an effective operational technology (OT) cybersecurity strategy. Many core cybersecurity program pillars depend on having rich and complete asset visibility with intelligence-driven context. This whitepaper provides insight into 10 distinct ways that asset visibility helps inform a broader strategy for OT visibility. Download now →
Threat actor activity.
Symantec has found that a Chinese state-sponsored threat actor compromised a digital certificate authority in an unnamed Asian country. The threat actor also compromised government and defense agencies in several Asian countries. The threat actor, which Symantec (a unit of Broadcom) tracks as “Billbug” (also known as Lotus Blossom or Thrip), probably intended to use the compromised certificate authority to sign its malware files. Billbug is probably motivated by espionage. The threat actor has been seen before: Symantec noted in 2019 that Billbug is based in China, and its primary goal appears to be espionage. For more on Billbug's recent campaign, see CyberWire Pro.
Game servers have been the target of activity by RapperBot, Fortinet's FortiGuard Labs researchers report. Distributed Denial of Service (DDoS) attacks have been detected in game servers, Fortinet reports. FortiGuard Labs researchers say RapperBot had been seen in campaigns earlier this year. There are signs that some Mirai source code is being reused. For more on RapperBot, see CyberWire Pro.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory Wednesday on Iranian government-sponsored APT actors compromising a federal network. The threat actor, Iran's Nemesis Kitten, exploited the well-known Log4Shell vulnerability to infiltrate a VMware Horizon server in February and move across the network. Bleeping Computer reports that the attackers deployed a cryptocurrency miner, as well as reverse proxies on compromised servers to remain within the network. The Washington Post identified the affected agency as the US Merit Systems Protection Board. CISA warns all organizations who didn't promptly apply Log4Shell remediations to check their systems for indicators of compromise. For more on the Iranian operation, see CyberWire Pro.
Thursday afternoon, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint Cybersecurity Advisory (CSA) on the Hive ransomware group. The advisory provides indicators of compromise (IOCs) and techniques, tactics, and procedures (TTPs) identified through FBI investigations. Hive has exploited Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523. The advisory lists IOCs and TTPs specific to the group, as well as mitigations that can be applied to help defend against the risk. For more on the Hive advisory, see CyberWire Pro.
Proofpoint Wednesday offered a look at the return of Emotet, whose major distributor, TA542, resurfaced this month after having been quiescent since July. The botnet has been observed dropping IceID, and researchers think "Emotet is returning to its full functionality acting as a delivery network for major malware families." The botnet's targets have been widespread, with high volumes of spam hitting the United States, the United Kingdom, Japan, Germany, Italy, France, Spain, Mexico, and Brazil. The researchers conclude, "Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet. The addition of commands related to IcedID and the widespread drop of a new IcedID loader might mean a change of ownership or at least the start of a relationship between IcedID and Emotet."
Cyjax has published a report on Fangxiao, a Chinese threat actor, apparently motivated by financial gain as opposed to espionage. It relies on phishing baited with spoofed domains of legitimate companies to spread adware. It also appears to be implicated in mobile malware distribution. "We assess that Fangxiao is a China-based threat actor likely motivated by profit," Cyjax writes. "The operators are experienced in running these kinds of imposter campaigns, willing to be dynamic to achieve their objectives, and technically and logistically capable of scaling to expand their business."
At Raytheon, Intelligence & Space, if it’s not broken, we break it.
Somebody once said, “if it ain’t broke, don’t fix it.” That somebody didn’t work in cybersecurity. And that somebody didn't work at Raytheon, Intelligence & Space. Here we break the definition of cyber defense: Hiring the sharpest minds, actively hunting threats, and designing one-of-a-kind-never-been-done-before solutions. That’s how we shake up the future and uncover new thinking to protect our customer's most vital infrastructure and our way of life.
Vulnerabilities affect Zendesk Explore.
Researchers at Varonis have discovered a vulnerability in the customer support product Zendesk that could have allowed attackers to access customer accounts. The researchers found a SQL injection vulnerability and a logical access flaw that affected the product’s reporting and analytics tool Zendesk Explore, which is disabled by default. The researchers state that “the flaw would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts with Explore enabled." Zendesk promptly developed and published a patch for the flaw after Varonis reported it to the company. For more on the Zendesk vulnerability and its patch, see CyberWire Pro.
Vulnerabilities in Amazon RDS may expose PII.
Mitiga released research today discussing the exposure of Personally Identifiable Information (PII) in Amazon Relational Database Service (Amazon RDS) snapshots. Amazon RDS is a Platform-as-a-Service (PaaS) that provides a database platform based on optional engines such as MySQL and PostgreSQL, and RDS snapshots are used to help back up databases. Researchers discovered RDS snapshots that were shared publicly for hours, days, and weeks, both intentionally and by mistake, and created a way to exploit the issue to mimic attackers. The team created an AWS-native technique to extract information from RDS snapshots.
Researchers found that the total number of snapshots seen in the month analyzed was 2,783, and of those, 810 were exposed during the timeframe being analyzed. 1,859 of the snapshots were exposed for only a day or two. This was also discovered to be occurring worldwide. The Mitiga team says that an email should be sent from Amazon notifying you of a public snapshot in your account after sharing a snapshot publicly. There is also a tool called ‘AWS Trusted Advisor’ that recommends steps to improve your environment in different ways; costs, performance, and security. Public snapshots will cause the ‘Trusted Advisor’ widget to warn of an ‘Action recommended.’ Provided in the research as well are ways to check for public screenshots. For more on RDS vulnerabilities, see CyberWire Pro.
CISA releases Stakeholder Specific Vulnerability Categorization (SSVC).
Last Thursday, before the US Veterans Day holiday, the US Cybersecurity and Infrastructure Security Agency (CISA) released a guide to the Stakeholder-Specific Vulnerability Categorization (SSVC), which it describes as "a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular system." The SSVC is expected to provide important context organizations can use for vulnerability management. For more on SSVC, see CyberWire Pro.
Automated evidence collection. Continuous risk monitoring. Simpler audits.
Drata’s compliance automation platform was built to be customized. With 75+ deep integrations, continuous control monitoring, and custom controls and frameworks, you can achieve your unique compliance goals at any growth stage and in any security environment. Our Risk Management Solution can help you establish a security-first posture with minimal manual work. Take a look yourself and see why Drata is G2’s #1 Leader for cloud compliance.
A study of the language of fraud.
A report from Visa and Wakefield Research describes the effectiveness of the language used in social engineering attacks. The researchers found that 48% of respondents believed they could recognize a scam, but 73% were in fact susceptible to common phrases used by scammers. The most successful scams contain the following phrases and terms: “Win online free gift card,” “Free/giveaway,” “Exclusive deal,” “Act now,” “Limited time offer,” “Urgent,” “Click here,” and “Action needed.” The researchers also found that respondents who were confident in their ability to recognize scams were actually more likely to fall victim to them, and people tended to think that others (not themselves) would be more susceptible to scams. For more on the language of social engineering, see CyberWire Pro.
Australian Federal Police say they know who hacked Medibank.
According to TechCrunch, the Australian Federal Police say they know the individuals responsible for the ransomware attack and consequent data breach at Medibank. The AFP hasn't publicly named them, but it has said they're criminals located in and operating from Russia. Other reports have associated the threat actors with the allegedly defunct REvil criminal organization.
Software supply chain risk.
Reuters reports that "thousands of smartphone applications in Apple (AAPL.O) and Google's (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh." A number of users, among them the US Centers for Disease Control and Prevention (CDC), thought that Pushwoosh was based in Washington when in fact its operations are centered in Novosibirsk. CDC has now removed the software from seven of its apps. The software also appeared in at least one mobile app used in the US Army (the Army removed it this past Spring). Reuters says there's no evidence that Pushwoosh collected or reported sensitive data to the Russian government, but as a Russian company it's obliged by law to cooperate with the authorities on demand. Pushwoosh's founder denies the company misrepresented itself as being anything other than a Russian business.
How to create, train, and monitor machine learning models for accurate bot detection.
Machine learning (ML) has been used in cybersecurity for decades. Unfortunately, ML can be as useful to attackers as it is to defenders. Explore the possibilities for applying ML in bot detection and cybersecurity with this guide from DataDome’s SOC and threat research experts. Review common challenges in ML model training and get a step-by-step walk-through of how to create and monitor ML models with two real-life case study examples of ML applied in bot detection.
Difficulties with Twitter's SMS 2FA system.
Numerous Twitter users are reporting problems with the platform's two-factor authentication system. Wired has a summary of what's been going on. "Some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don't come or they're delayed by hours." That functionality may be among the "bloatware" Twitter's new owners say they're interested in purging from their service. Twitter's help center still indicated this morning that two-factor authentication remains available. (Wired and others note that SMS is not the best form of multi-factor authentication available. Still, better than no 2FA at all.)
PCI Security Standards Council issues new mobile payment standard.
The PCI Security Standards Council (PCI SSC) has published a new standard that supports acceptance of contactless payments from customers' mobile devices.
Patch news.
The US Cybersecurity and Infrastructure Agency (CISA) has added a new item to its Known Exploited Vulnerabilities Catalog. Federal Executive civilian agencies have until December 5th to look for, fix, and report action on CVE-2022-41049, a "Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability." The remediation is, as usual, to "apply updates per vendor instructions."
CISA also released two Industrial Control System (ICS) advisories this Thursday, one for Red Lion Crimson (exploitation of which "could allow an attacker to obtain user credential hashes"), the other for Cradlepoint IBR600 (which "could allow an attacker to execute code and native system commands").
Crime and punishment.
KrebsOnSecurity reports that Vyacheslav Penchukov (noms-de-hack "Tank" and "Aqua"), a Ukrainian cyber criminal and sometime DJ, was taken into custody by Swiss police in Geneva. He now faces extradition to the United States. The charges he faces, according to the Record, pertain to “a wide-ranging racketeering enterprise and conspiracy who infected thousands of business computers with malicious software known as ‘Zeus’.” He's been associated with Evgeniy Mikhaylovich Bogachev, who's been wanted by the US FBI since his indictment in 2012. Mr. Penchukov is alleged to have run the Ukrainian branch of Mr. Bogachev's Zeus operation.
Courts and torts.
In a record-breaking settlement, Google this week agreed to pay $391.5 million to settle a privacy lawsuit filed by a forty-state coalition of attorneys general, Bleeping Computer reports. The suit alleges that the tech giant misled Android users into thinking they had turned off location tracking in their account settings, when in reality the company continued to collect, store and use the customers' personally identifiable location data. The attorneys general said the agreement, which resulted from a four-year investigation into Google’s practices between 2014 and 2020, was the biggest internet privacy settlement ever in the US. Under the settlement, Google has also agreed to be more transparent about its location tracking settings, implement more user-friendly account controls, and limit its use and storage of some types of location data.
Michigan Attorney General Dana Nessel said, "The company's online reach enables it to target consumers without the consumer's knowledge or permission…However, the transparency requirements of this settlement will ensure that Google not only makes users aware of how their location data is being used, but also how to change their account settings if they wish to disable location-related account settings, delete the data collected and set data retention limits." As the New York Times notes, Google spokesman José Castañeda indicated that Google had already corrected some of the issues brought forward in the case. “Consistent with improvements we’ve made in recent years, we have settled this investigation, which was based on outdated product policies that we changed years ago,” he stated.
Policies, procurements, and agency equities.
According to CyberScoop, a forthcoming revision to 2018's National Security Policy Memorandum-13 is expected to give the US Department of Defense enhanced authorities to conduct offensive cyber operations. The revision is said in large part to address roles and missions, with the State Department playing a consultative role. A source told CyberScoop that successes by US Cyber Command have done much to solidify the Pentagon's role in active cyber operations: “CyberCom has been able to notch a bunch of good wins, justifying the argument that having more flexibility, being able to move faster really does help operations.”
Labor markets.
This has been a tumultuous couple of weeks in tech for many major organizations, Twitter at the forefront of the news. Wired reports that, following the news of Elon Musk’s laying off half of Twitter’s workforce last Tuesday, the social media company saw the resignations of top executives. Those included, the Washington Post says, the company’s Head of Moderation and Safety, the Chief Information Security Officer, the company’s Chief Privacy Officer and its Chief Compliance Officer. A tweet from writer Casey Newton on Sunday reads, “Update: company sources tell me that yesterday Twitter eliminated ~4,400 of its ~5,500 contract employees, with cuts expected to have significant impact to content moderation and the core infrastructure services that keep the site up and running.” Business Insider reports that Facebook's former CSO Alex Stamos has been critical of Mr Musk’s approaches, advising Mr Musk to "stop firing best engineers for correcting your clear misstatements." Amid the news surrounding Twitter’s workforce, Bloomberg reports that Mr Musk called bankruptcy a “possibility” for the social media giant if it didn’t generate more cash. Mr Musk's Twitter Blue experiment also quickly went awry, with CNBC reporting a pause in the service after users abused the service to impersonate brands and celebrities.
Satnam Narang, Senior Staff Research Engineer at Tenable, commented on the impact of the Twitter Blue fiasco: "As we’ve seen from the initial roll-out of the blue verified badge for paying subscribers, there has been rampant impersonation of a variety of brands, which has led to a halt on the program for now. While paying $8 to receive a blue verified badge may seem like the most obvious way for scammers to steal money or cryptocurrency from users, an overlooked area of concern is that the traditional tactic of compromising a verified Twitter account to launch impersonation attacks will become much easier because of the availability of more verified accounts for scammers to target”.
"Since earlier this year, I’ve recommended that Twitter add some type of contextual awareness around verified accounts making changes to their accounts or identifying suspicious behavior from verified accounts that have changed things, such as their profile photo or display name. The additional context, similar to the birdwatch functionality on Twitter, could be a way to help thwart scammers from successfully duping users out of their money or cryptocurrency."
Other major companies have been seen downsizing, with Vox reporting Meta's cut of 11,000 employees, or about 13% of its workforce, and Amazon's plans to cut upward of 10,000 corporate and tech jobs. Salesforce has also had to lay off hundreds of employees, TechCrunch reports, but the company wouldn’t give an exact number, only confirming that jobs affected fewer than a thousand people.
Tom Kellermann, CISM, Senior VP of Cyber Strategy at Contrast Security, spoke of the state of the tech workforce in a comment: “The massive reduction in the labor force and the recent resignations by C-level cybersecurity and privacy executives will create a vacuum. Lack of investment in cybersecurity and content moderation will allow for cyberspies and cartels to launch targeted cyberattacks from the platform. Confusion over security policies and new management of the platform will be used by attackers to drop payloads and attacks, not just disinformation.”