The CyberWire Daily Podcast 7.13.22
Ep 1618 | 7.13.22

AiTM sets up BEC. Silent validation bots. Smishing attempt at the European Central Bank. Shields up in Berlin. Hacktivism in a hybrid war. Patch notes.


Dave Bittner: Adversary-in-the-middle sites support business email compromise. Silent validation carding bots are discovered. Attempted social engineering at the European Central Bank. Germany puts its shields up. Carole Theriault speaks with Jen Caltrider about Mozilla's Privacy Not Included initiative. Our guest is Lucia Milica on Proofpoint's Voice of the CISO report. And hacktivism in a hybrid war.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 13, 2022. 

Adversary-in-the-middle sites support business email compromise.

Dave Bittner: Microsoft Security researchers have found a campaign that uses adversary-in-the-middle techniques, AiTM, to stage more effective business email compromise attacks. Phishing messages directed victims to AiTM sites that would steal passwords and hijack sign-in sessions, skipping authentication even where multifactor authentication had been enabled. The attackers used stolen credentials and session cookies to access victims' mailboxes for more effective and plausible BEC attacks against the victims' colleagues. Microsoft says that more than 10,000 organizations have been affected since last September. Redmond recommends continuous monitoring, advanced anti-phishing solutions and conditional access policies to mitigate AiTM risk. And, of course, let your people know that you won't be emailing them wire transfer instructions to random accounts. We note in disclosure, by the way, that Microsoft is a partner of the CyberWire. 

Silent validation carding bot discovered.

Dave Bittner: PerimeterX reports that its researchers have found a new silent validation carting bot. The bot takes stolen paycard data and attempts to store it in e-tailers' wallet pages, where, if validated and accepted, it would become a stored payment method that could be used in future fraudulent transactions. This technique enables criminals to validate a card without alerting the card's owner to the possibility of compromise. The crooks then have a chance at a bigger payoff if they hold off and place more fraudulent orders from the stolen cards they've already staged on the e-commerce sites. PerimeterX says the bot was detected and stopped before any actual fraud was committed. 

Attempted social engineering at the European Central Bank

Dave Bittner: Reuters reports that unidentified threat actors tried to inveigle European Central Bank President Christine Lagarde into giving them an authentication code for WhatsApp that would have enabled them to open an account linked to Ms. Lagarde's phone number. The attackers claimed to be former German Chancellor Angela Merkel. An ECB spokesperson said, we can confirm there was an attempted cyber incident recently involving the president. It was identified and halted quickly. No information was compromised. We have nothing more to say as an investigation is ongoing. 

Dave Bittner: The not Merkel said, according to AP, that it would be easier and more secure if they could connect with Ms. Lagarde over WhatsApp. The German edition of Business Insider reports that the attackers had Ms. Lagarde's mobile number and were able to spoof Ms. Merkel's number in their smishing text. Business Insider says, they wanted to use the Chancellor's identity to obtain the authentication code of Lagarde's existing or new messenger service account. This is actually used to verify the link between the personal account and the cell phone number. By sharing the code, the strangers could have taken over Lagarde's account. So even world leaders get smished and phished. We wonder if they receive offers of extended car warranties like the rest of us. 

Germany puts its shields up.

Dave Bittner: Aware of the potential threat of Russian cyberattacks, German authorities yesterday announced a program of increased readiness and resilience. Deutsche Welle reports that the German interior minister explained the motivation for the increased state of alert, saying, the sea change we are facing in view of the Russian war of aggression against Ukraine requires a strategic repositioning and significant investment in our cybersecurity. In addition to new, secure systems for exchanging information, the government intends to promote resilience in small- and medium-sized organizations, saying, that would apply to critical infrastructure - businesses involved in transport, food, health, energy and water supply. 

One addition to CISA's Known Exploited Vulnerabilities Catalog. 

Dave Bittner: CISA added an entry to its Known Exploited Vulnerabilities Catalog. The latest addition, which the federal civilian executive agencies CISA oversees are expected to address by August 2, is CVE-2022-22047, a Microsoft Windows Client Server Runtime Subsystem Privilege Escalation Vulnerability. The remedy is to apply Microsoft's patch. 

Patch Tuesday notes.

Dave Bittner: And speaking of applying Microsoft's patch, yesterday was July's Patch Tuesday, and Microsoft released fixes for 84 issues, including the aforementioned bug that CISA wants U.S. federal agencies to take care of. SAP also patched, issuing 20 new security notes, as well as three updates to earlier advisories. On Tuesday, July 12, CISA released two industrial control system advisories. 

Hacktivism in a hybrid war.

Dave Bittner: And finally, hacktivists in sympathy with Ukraine have conducted distributed denial of service attacks against Russian movie theaters. CyberNews says the attacks, regarded as a tit-for-tat response to Russian DDoS attacks by Killnet and others against Ukrainian and other sympathetic nations' networks, have affected Kinomax, Mori Cinema, Luxor, Almaz and other chains, as well as ticket service Kinoplan. Obviously, such campaigns aren't war winners. 

Dave Bittner: The Record reports a consensus among Ukrainian security firms that DDoS is popular because it's easy and that the targets selected for disruption are picked because they're destructible, not because they're either high-value or high-payoff. Ukrainian hacktivists have been more or less assembled into a loose umbrella group. The Ukrainian government says it doesn't direct the IT Army. And, indeed, they're opportunistic and improvisational target selection would seem to argue that their organization is pretty thin. The Record says this lack of planning makes sense, given that IT Army is an independent group of volunteer hackers, not a trained cyber army unit. 

Dave Bittner: Ukrainian security official Victor Zhora said, we do not coordinate cyber volunteers in their attacks and have no information on any such coordination centers. So hacktivism might be regarded as a morale builder. Yegor Aushev of Cyber Unit Technologies told the Record, the only benefit of IT Army's DDoS was that thousands of people came together and felt useful in their resistance to Russia. It's striking to see how commodified DDoS apps have become freely provided and readily accessible, complete with short how-tos that shows you how to operate them. It's not going to drive the Russian army back to Moscow, but at least it gives the hacktivists a sense that they're doing something. 

Dave Bittner: The team at Proofpoint recently shared their 2022 Voice of the CISO report highlighting some of the challenges facing security professionals. Lucia Milica is global resident chief information security officer at Proofpoint. 

Lucia Milica: As we've seen for the last several years, cybercrime reached a heightened level of intensity and sophistication. We saw greater complexity in ransomware, supply chain and critical infrastructure attacks. And when you add to that the digitization and consumerization that have driven so much of the complexities in the environments that we have to protect today, as well as some of the regulatory landscape regulations and challenges that came from those different systems, it really highlighted the need to hone in into, what are security leaders are grappling with? And as we see the ever-evolving threat landscape, what are some of the bigger challenges that we all collectively have to wrap our heads around? 

Dave Bittner: Well, let's go through some of the specific findings together. What are some of the things that caught your attention? 

Lucia Milica: I will say the first one that was very interesting to me was the fact that 48% of the surveyed CISOs feel their organization is at risk of suffering a material cyberattack in the next 12 months. And that is down from the previous year, which was at 64%. 

Dave Bittner: What are some of the other things that caught your eye? 

Lucia Milica: There are two other things. One is the human factor. And it's interesting to see that - the perception versus reality. But in our Voice of the CISO report, we saw that 56% of global CISOs consider their employees being their biggest cyber vulnerability. Now, if you look at other data points - like, for example, the World Economic Forum reports 95% of cybersecurity issues are traced to human error. The Verizon Data Breach Report - I think that 2022 had 82% of incidents related to the human element. To me, it was an interesting gap there between, is there a perception or is there a reality gap between those different numbers? 

Lucia Milica: So the last one was the board buy-in. And it's something that is very near and dear to my heart, where there's a lack of board buy-in or at least perceived lack of support from the boardroom that has increased. So in in this year, in 2022, we saw that just over half, 51% of global CISOs agree that they see eye to eye with their boards on cybersecurity matters. Now, that is down from 59% last year. Also, the same token, when you looked at - we started asking some additional questions around, hey, what are the top board concerns, so we can figure out, are we focusing on the right areas of risk? It was interesting to see that, you know, globally, significant downtime was at 37%, one of the top concerns, followed by disruption to operations at 36% and impact on business valuation also at 36%. So those are very interesting findings from my perspective. 

Dave Bittner: So based on the information that you've gathered here, what are your recommendations? 

Lucia Milica: There are a number of recommendations. So for me, first and foremost, the threat landscape is continuously evolving. So it's important to stay up to date and really understand, what are some of your peers grappling with, right? What's top of mind for everybody else? I think understanding that the secure leaders - we're not the only one struggling with maybe the increase in volume of attacks or insider threats. One of the findings that was really interesting to me as well was the fact that insider threats, for example, has moved up to first. When we asked CISOs in terms of, what were the biggest cybersecurity threat within the organization, that has shifted. 

Lucia Milica: And it was interesting to see that ransomware - despite really being covered extensively in the media in the last year, ransomware came in sixth at 28% - so really understanding what everybody else is focusing on. And then last but not least, I think, for me, is closing the gap on between CISOs and boards. It's absolutely critical. And I think it's important to understand some of the communication challenges that a lot of security leaders are perhaps challenged with in terms of seeing eye to eye with their boards. Think cyber risk is business risk. And being able to to have cybersecurity oversight and have the right support at the executive level is absolutely critical for us to succeed in doing our jobs and adequately being able to protect organizations and, at the same token, really understanding and being able to focus on the business risk, the business impact that cybersecurity can have on their organizations broadly. 

Dave Bittner: That's Lucia Milica from Proofpoint. 

Dave Bittner: Carole Theriault recently spoke with Jen Caltrider from Mozilla about their Privacy Not Included initiative. Carole Theriault files this report. 

Carole Theriault: Well, listeners, do I have a treat for you today. We have Jen Caltrider. She's Mozilla's Privacy Not Included head honcho. Thank you for taking the time to be on the show 'cause I can tell from the output on the site, Privacy Not Included, that you guys are busy cats over there. 

Jen Caltrider: Yeah. Yeah. There's a lot of privacy problems in the world today. 

Carole Theriault: I couldn't agree more. So maybe we should start at the top. So for those listeners who don't know about Mozilla's Privacy Not Included project, could you give us a quick overview? 

Jen Caltrider: Yeah, sure. So back in 2017 - which seems like the land before time these days, but it was only, like, six or seven years ago - a lot of connected devices were starting to become more prevalent in people's homes. You know, people were getting smart speakers and robot vacuums and fitness trackers and everything. And when we looked at - or around at Mozilla - you know, Mozilla really cares about privacy. We're a nonprofit with a mission that focuses in part on trying to protect the privacy on the internet. And we didn't see that average consumers could find out before they bought a product, what are the privacy and security concerns of this connected device or this connected app? 

Jen Caltrider: So on a whim almost, we kind of said, well, let's try and create a buyer's guide for people to help explain that. You know, without a lot of resources, we kicked it off. And we were just curious if people would even care, you know? There's websites that review products on features and reliability and things like that, but nothing like privacy and security. So we gave it a shot, and we found that people liked it. You know, everybody says they want to protect their privacy, but when it comes to what we can do, there - it's a lot harder to know. 

Jen Caltrider: Since 2017, we have been reviewing the privacy and security of connected devices. We've moved into doing apps as well. We've gone from kind of just trying to state the facts to being a little more opinionated to help people understand, hey, what this company's doing is really bad, and, you know, maybe you should find some other product to use if you care about privacy to, hey, we have a best-of list now, and we have a Creep-O-Meter where people can rate how creepy they find products. And we have a Privacy Not Included warning label that, you know, when you land on a product, if it has that, that's just kind of saying, hey, you know, we'd be wary of using this product because your privacy might not be protected. 

Carole Theriault: It's really cool how far and wide your project has gone because you do things for the smart home. You do toys and games. You do entertainment. You do wearables. You do health and exercise, pets, video call apps, dating apps. I mean, you really cross the whole gamut. This must be a massive workforce here. 

Jen Caltrider: If only. We're a very small team, actually. We're a team of two. There's two of us, myself and Misha Rykov, who's my fellow researcher. And we do all the reviews of the products. And we approach our reviews of the products like a consumer would. We kind of want to tell people, what can consumers find out before they buy a product to know if it's private or secure? Because you don't want to get home with it and then start setting it up and be like, oh, yeah, once you connect this, we're going to collect all your data. 

Jen Caltrider: And so we approach it like that, and we look at what's available publicly. You know, we read privacy policies and public documentation and news articles about the company. We email the email listed in the privacy policy for privacy-related questions to see do they get back to us? You know, if they do, do they answer their questions? You know, what - can we tell if they are using strong encryption to protect your data? Can we tell if they have a way to manage security vulnerabilities? And so the two of us, you know, we just spend all our time kind of digging in and looking at that. We do have lawyers that come in at the last minute and review everything to make sure we aren't going to say anything incorrect or that, you know, might get us sued. But for the most part, it's just Misha and I with our heads down doing research that, if you were an average consumer and had 8 hours a day to do this and a bit of knowledge, that's what we do. 

Carole Theriault: I am absolutely gobsmacked that there's only two of you doing all this work. That is a testament to your skill and passion, let me tell you. Now, in your research, do you often find a disconnect between what is being said on the website and what is said inside the privacy agreement, for example? 

Jen Caltrider: You mean how companies say they protect your privacy and then what they actually do? 

Carole Theriault: Yep. Exactly. 

Jen Caltrider: Yeah. Indeed. I can't tell you how many privacy policies I read that crow at the top of their privacy policy, we will never share or sell your data without your consent. We care about your privacy. I mean, every company says that, right? And then you keep, like, reading and digging into their track record and what data they collect and how they share that data, and you're like, holy cow. Like, you know, everybody says they care about privacy, but there's a lot of, like, show don't tell here. And a lot - too many companies just collect as much personal information as they possibly can because that's very valuable to them. They use it for targeted advertising and personalization and sharing it with business affiliates and selling it in some cases. And they take the data they have on you, and they go out to other third parties like social media sites or data brokers or public sources, and they collect even more data about you because the more they know about you, the more they can keep you addicted to the app or target you for - to buy more products to get you to sell you more things. And so it's - you know, it's really hard to trust these companies these days when it comes to privacy. And it's sad. I'm a little jaded. 

Carole Theriault: I don't blame you one bit. I just am super glad you do what you do. Now, little problem - we've almost ran out of time, and we haven't touched upon your research into mental health apps, which I think is fascinating. So I'm going to invite you on next time so we can discuss this. And in the meantime, listeners, go check out Privacy Not Included. Go see the devices that you have in your house, and see how they stack up against others. And if your device isn't listed, you can actually fill in a request so that it gets reviewed. Isn't that right, Jen? 

Jen Caltrider: Yeah. We have a form there that you can submit requests for reviews. We obviously can't review everything. We wish we could. And so we try and focus on what we know people will like. So please let us know what you're interested in. And because we can't review everything, you know, even just reading a couple of reviews of similar things will give you some ideas of what questions to look for, what questions to ask. You know, it's just hopefully we're helping people understand a little bit more of the concerns they should have and how they can approach it so that you can just shop a little bit smarter. 

Carole Theriault: Couldn't agree more. This was Jen Caltrider. She is the lead at Privacy Not Included, a Mozilla project. Thank you so much for coming on the show. 

Jen Caltrider: Oh, well, thanks for having me. And thanks to people who care. I appreciate it. 

Dave Bittner: Be sure to check out tomorrow's CyberWire for Part 2 of Carole Theriault's interview with Jen Caltrider from Mozilla. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.