A Black Basta update. Okta talks Scatter Swine. Nobelium's MagicWeb. Wartime stress in the cyber underworld. LastPass security incident. CISA adds to its Known Exploited Vulnerabilities Catalog.
Tre Hester: Palo Alto describes the Black Basta ransomware-as-a-service operation. Okta on Scatter Swine, the threat actor that compromised Twilio. Microsoft describes Nobelium's new approach to establishing persistence. Russia's war against Ukraine has induced stresses in the cyber underworld. LastPass discloses a security incident. Josh Ray from Accenture on cybercrime and the cost-of-living crisis. Our own Dave Bittner sits down with Chris Handman of TerraTrue to discuss how he works to transform legal teams into advocates and collaborators to ensure that privacy is baked in every step of the way. And CISA adds 10 entries to its Known Exploited Vulnerabilities Catalog.
Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Friday, August 26, 2022.
Palo Alto on Black Basta ransomware.
Tre Hester: Researchers at Palo Alto Networks have published a description of the operations of Black Basta, a ransomware-as-a-service operation that emerged in April of this year and has since become one of the more active threats. The report states, quote, "although their RaaS has only been active for the past couple of months, it had compromised at least 75 organizations at the time of this publication. Due to the high-profile nature and steady stream of Black Basta attacks identified globally in 2022, the operators and/or affiliates behind the service likely will continue to attack and extort organizations," end quote.
Tre Hester: Black Basta is a cross-platform, double-extortion threat. Its criminal users have been active against what Palo Alto characterizes as "large organizations." The targets are found across a wide range of sectors - consumer and industrial products, energy, resources and agriculture, manufacturing, utilities, transportation, government agencies, professional services and consulting firms and realtors. Chatter in underground fora by operators of the ransomware have shown a particular interest in the Five Eyes - that is, Australia, Canada, New Zealand, the United Kingdom and the United States - but attacks have been observed in the U.S., Germany, Switzerland, Italy, France and the Netherlands.
Okta on Scatter Swine, the threat actor that compromised Twilio.
Tre Hester: Group-IB called the campaign Oktapus, since one of the threat actors' principal goals in compromising Twilio was to obtain credentials for Okta's identity and access management software. Twilio, a widely used provider of programmable communication tools, detected the social engineering campaign on August 7 and provided an update on the 24. Okta has since described the campaign, and they're tracking the threat actor as Scatter Swine. Okta has seen Scatter Swine before. Quote, "Scatter Swine has directly targeted Okta via phishing campaigns on several occasions, but was unable to access accounts due to the strong authentication policies that protect access to our applications," end quote. Using logs provided by Twilio, Okta's security team, quote, "established that two categories of Okta-relevant mobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to the Twilio console. A one-time passcode is valid for 5 minutes," end quote.
Tre Hester: They determined that there had been two categories of threat activity. First, a primary category - those mobile phone numbers the threat actor searched for directly in the Twilio console. In these cases, the threat actor was seeking to expand access using credentials stolen in earlier attacks. A secondary category - mobile phone numbers that can be considered incidental to the specific actions or objectives of the threat actor - that is, these were phone numbers that may have been present in the Twilio portal during the threat actor's limited activity window. Okta's analysis reveals no indication that the threat actor targeted or used such mobile phone numbers.
Tre Hester: Okta's account includes a lengthy discussion of the attacks, techniques and procedures Scatter Swine used, and these are interesting for what they reveal about the conduct of a social engineering attack - about the way in which intelligent use of phishbait and convincing voice impostor combine with commodity phishing kits to harvest user credentials. They also include advice on how an organization can protect itself. Quote, "use Behavior Detection to act via set-up authentication or alert via system log when a user's sign-in behavior deviates from a previous pattern of activity. This threat actor is almost always attempting to authenticate from a new device and a new IP address that has no previous association with the user," end quote.
Microsoft describes Nobelium's new approach to establishing persistence.
Tre Hester: Microsoft researchers have described how Nobelium, the Russian state threat actor more commonly known as Cozy Bear - that is ***
Tre Hester: *** the SVR Foreign Intelligence Service maintains persistence in compromised environments. Nobelium is engaged in cyber-espionage, quote, "executing multiple campaigns and parallel targeting government organizations, non-governmental organizations, inter-governmental organizations and think tanks across U.S., Europe and Central Asia," end quote. It's deploying a new toolkit Microsoft calls MagicWeb to maintain persistence in the face of attempts to evict it from compromised networks. Quote, "MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Activity Directory Federated Services Server (ph). It manipulates user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML," end quote. Microsoft concludes its advisory with some guidelines for hunting MagicWeb infestations, and it strongly recommends that organizations accord ADF servers appropriate protection. Quote, "it's critical to treat your ADFS servers as a Tier 0 asset, protecting them with the same protections you would apply to a domain controller or other critical security infrastructure," end quote.
Russia's war against Ukraine has induced stresses in the cyber underworld.
Tre Hester: An essay in The New Statesman describes the ways in which the special military operation has produced fissures in the criminal precincts of the dark web. The report cites observations by researchers at security firm ZeroFox, whose Adam Darrah says that the code of criminality, which has generally governed behavior in Russophone fora, had been stretched to the breaking point by the war. Darrah explained, quote, "you're not allowed to develop tools or sell embarrassing information that could hurt any nation in the Commonwealth of Independent States, a group made up of former Soviet republics," end quote. The gangs had operated under a modus vivendi guaranteed by Russian official toleration and protection. But Conti's public declaration for Russia's cause in the early days of the war fractured the consensus under which the criminal gangs had conducted business. Criminals have intensified their activities, and that activity increasingly mirrors the political conflicts in the open, aboveground world.
LastPass discloses a security incident.
Tre Hester: LastPass, whose password manager is widely used by both individuals and organizations, disclosed yesterday that an unauthorized party accessed a portion of the company's development environment. The intruder gained access through a compromised developer account and was able to take portions of source code and some proprietary LastPass technical information. LastPass says its customers' accounts remain secure and that its services are operating normally. The company says it's contained the incident, is working on mitigation and will keep customers apprised of developments. Proper caution would advise enabling multi-factor authentication on LastPass accounts if you haven't already done so.
CISA adds ten entries to its Known Exploited Vulnerabilities Catalog.
Tre Hester: And finally, the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, yesterday added 10 new vulnerabilities to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation in the wild. U.S. federal civilian executive agencies have until September 15 to search for and remediate this most recent set of vulnerabilities. The prescribed remediation is, as is normally the case, to apply the vendor-supplied updates.
Dave Bittner: When we talk about user privacy, it's fair to say that in a lot of organizations, there is, if not outright hostility, maybe low-level suspicions between the software development team and the folks in legal. Everyone's doing their jobs in good faith, of course. But sometimes they can find themselves at odds. Chris Handman is co-founder and chief operating officer at TerraTrue, an organization that's aiming to foster collaboration between the legal and software development teams to make sure privacy is baked in every step of the way.
Chris Handman: With the privacy landscape, when you think about where we are today, at least here in the United States, we still are largely governed by a kind of free-for-all. There is, as of today at least, no federal privacy legislation to speak of. There are a handful of state laws that have recently come down the pike, starting first in California and sort of extending eastward into Colorado and Virginia and a few others - about a half-dozen states at this point. And all of those states were taking their cues not from Congress but from the EU, which famously passed the GDPR in 2018 when it came effective.
Chris Handman: And what we are really dealing with today is still this privacy revolution that remains in its infancy. Laws still are forming. Privacy, when done properly, is a motivation, you know, from companies wanting to do the right thing and understanding the processes, the cultures, the mechanisms and tooling to be able to get privacy right. And the only way you can really think about privacy in this day and age, being able to keep pace with a fast-moving, iterative life cycle of software development is to - you know, this is the phrase, like, shift left, right? We know about the concept in the security space about shifting left, moving regulation and testing and all sorts of scrutiny further into the ideation and development cycle as opposed to this kind of reactive - after products go out the door, you know, take a look. And I think ***
Chris Handman: *** privacy has historically occupied this almost rightward tilt on that continuum. It's a very reactive, very siloed type of discipline in the past. And I think what companies have increasingly come to embrace is this notion of shifting privacy left. Some have called it, like, privacy by design, but I think that has sometimes this, like, almost academic tone to it. And I think what privacy needs to do and what a lot of companies are starting to recognize is move privacy from this siloed, compliance-heavy idea into sort of a forward-thinking, how can we enhance the products from the get-go? How can privacy be a component of the way we enhance and develop our products? And that shift in thinking has already, I think you see at companies across the board, developed richer, better privacy-protective products. And in fact, you kind of see it now manifest in really unique, cultural ways. You know, look at Apple, for example, in their advertising iPhones, right? They are having national campaigns built around really one value prop, right? This iPhone will protect your privacy. And that is a unique change in I think the zeitgeist of the way we think about privacy, the way companies develop products. And so as companies look to enhance that privacy posture, to have more agility as new laws come down and have to adapt to new regulatory rules, having privacy built in this proactive shift-left mentality is going to be a really important way of guiding those future developments.
Dave Bittner: You know, you're using the term collaboration, which I like. But I can imagine that there are lots of organizations out there who, from the developers' point of view, they look at the legal team as almost being adversarial. You know, they're the one, the department of no, throwing up, you know, roadblocks and speed bumps. How do you execute that culture shift to make it a true collaborative effort?
Chris Handman: It's a great point. And I think one of the fears that I think most modern legal teams have is that they're going to be viewed as the place that, you know, good ideas go to die. And it is precisely that concern that I think is one of the biggest impediments to developing the types of privacy programs that are effective and dynamic and sort of well-suited for today's environment. And I think it begins with trust. A legal team, a privacy team that goes into a product team or an engineering team and starts reciting chapter and verse about Article 39 of the GDPR or, you know, some obscure subsection of the CPRA is very unlikely to garner the types of trust. You need to speak about privacy in terms of product and the way privacy can enhance the product, the goodwill, the types of proactive approaches to the way we want to think about our consumers, that I think product people tend to want to pride themselves on.
Chris Handman: And it is a matter then of meeting them where they work, right? What - that is both a virtual and a sort of physical manifestation. It's trying to work in the same tools. It's trying to go to those stand-ups, trying to be involved in those specs or confluence docks or wherever they happen to be iterating on these concepts and then gradually creating that culture that says, hey, my role here isn't to veto. It's not to flyspeck what you're doing. It's to really help you understand perhaps unintended or unseen consequences of using that type of data. There's a lot of uncertainty around even what data we are using.
Chris Handman: It's remarkable when you start talking to some product folks. They may not even appreciate all the types of data that is being collected or may not appreciate that this is data that can actually be repurposed to specifically target individuals. And so there's an educational process. And as you begin to talk in those pragmatic terms, I think those teams come to appreciate the value that legal and privacy teams can impart to the way they build their products. But that's really - the emphasis is on building products as opposed to checking them off or, like, going through a regulatory box-checking exercise. And so it's a matter of tone. It's a matter of culture. It's a matter of emphasis. But I think when you combine those, the privacy teams have a very unique ability to become players in that development process. And if you can't do that, then the whole concept of shifting left or privacy by design or whatever rubric you want to put this under - it becomes completely illusory, and you really do then default to the old world of just privacy as being this sort of compliance checkbox.
Dave Bittner: That's Chris Handman from TerraTrue. There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for interview selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And joining me once again is Josh Ray. He is the managing director and global cyberdefense lead at Accenture. Josh, always great to welcome you back.
Josh Ray: Dave, thanks so much for having me.
Dave Bittner: You know, we are not in a bubble here in the cybersecurity world. And we're seeing headlines every day about how the price of everything is going up, even extending to the war in Ukraine, about how that can affect the cost of everyday goods. I know this is something that you and your colleagues have been looking into ***
Dave Bittner: *** here, the true broad effect of the cost of cybercrime. What can you share with us today?
Josh Ray: Yeah, Dave, I think, you know, today the team and I - and I was having a great conversation with a colleague of mine, Paul Mansfield, about this. It's really, you know, along the lines of a public service announcement - right? - you know, this whole confluence of world events, you know, the fallout from the pandemic, the conflict in Ukraine. And people, you know, I think across the board are really feeling the squeeze around this cost of living increase and some economic hardships. And what we've noticed is, you know, similar to what we saw during the pandemic, where we saw a whole new raft of cybercriminals focused on COVID fraud and really focused on defrauding, you know, governments and organizations and using those as lures. Now we're seeing that really starting to kind of pivot towards the end consumer. And we really just wanted to make sure that we are helping folks kind of raise their awareness in that regard.
Dave Bittner: What sort of things are you all tracking?
Josh Ray: Well, you know, we're seeing a lot of things like opportunistic criminals have been targeting early providers of, say, like, rebates and refunds by distributing phishing campaigns that are really designed to trick victims into divulging things like, you know, personal and financial information. And while, you know, this is obviously not a new thing and people get targeted by these types of things every day, it's really kind of targeting on the heartstrings or the emotional effects of the economic hardships and kind of the cost of living increases. So we've seen things like, you know, cheap fuel cards, stolen gift cards, loyalty cards - really focused on making sure that, you know, they are, again, focused on that emotional component to really kind of elicit the quick response, the kneejerk response from the consumer to trick them into obviously, you know, giving up their financial information.
Dave Bittner: Yeah. I guess, I mean, it's worth pointing out that anyone can fall victim to this. You know, we all have emotions. And it's easy for all of us in the, you know, fast-paced world in which we live - nobody's immune to falling for these sorts of scams that can hit you emotionally. And as you say, they do it quickly.
Josh Ray: That's correct. Yeah. And I think it's kind of a - very much of a point in time type of thing, right? So, you know, you imagine yourself. You're, you know, trying to make ends meet, and you're getting ready to go to the gas pump, and, you know, you get targeted by one of these things. You know, of course, you know, you're going to potentially click on a link or try to, you know, find out how you can save a few bucks. And I think it's, you know, really kind of incumbent upon the security community as a whole just to make sure that, you know, people are taking a step back and just being aware that there are criminals out there that are taking advantage of folks. And we just want to make sure that - you know, this whole notion of buyer beware, both for businesses and consumers, to really stay vigilant.
Dave Bittner: Yeah. And it's a good reminder that, you know, those of us who are in this every day - to reach out to our friends, our family, our coworkers, our colleagues, even our kids, and remind them that those folks are out there.
Josh Ray: That's absolutely right. And we do become, you know, as security professionals, very callous. And I think, you know, we just accept this kind of as the norm. But, you know, I do think we have a responsibility to make sure that, you know, the broader people that, you know, we're involved with on a day-to-day basis are aware of these types of scams, are aware of these types of phishing attacks and know that, you know, there's bad people out there that are trying to take advantage of it.
Dave Bittner: Yeah. All right. Well, good advice, as always. Josh Ray, thanks for joining us.
Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com Don't forget to check out this weekend's episode of "Research Saturday," where our own Dave Bittner sits down with Nick Ascoli from ForeTrace to discuss their partnership with PIXM, and their team's work on "Phishing Tactics: How a Threat Actor Stole 1 Million Credentials in 4 Months." That's "Research Saturday." Check it out.
Tre Hester: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. See you back here next week.