The CyberWire Daily Podcast 9.19.22
Ep 1665 | 9.19.22

An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. And risky piracy sites.

Transcript

Dave Bittner: An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. Grayson Milbourne of Webroot on the arms race for vulnerabilities. Rick Howard continues his exploration of cyber risk. And speaking of risk, risky piracy sites - that's on the internet, friends, not the high seas.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 19, 2022. 

An update on the Uber breach.

Dave Bittner: Persistent social engineering - pestering, really - that softened up employees for a bogus call from IT appears to have gained a hacker deep access to Uber's systems. Uber's initial disclosure of the breach on September 15 was terse, saying, we are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available. On the 16, they'd offered theF following amplification. While our investigation and response efforts are ongoing, here is a further update on yesterday's incident. We have no evidence that the incident involved access to sensitive user data like trip history. All of our services, including Uber, Uber Eats, Uber Freight and Uber Driver, are operational. As we shared yesterday, we have notified law enforcement. Internal software tools that we took down as a precaution yesterday are coming back online this morning. 

Dave Bittner: Someone claiming to be the threat actor responsible for the intrusion bragged in the company's Slack channels. Hi here, the hacker posted. I announce I am a hacker and Uber has suffered a data breach. Slack has been stolen. Confidential data with Confluence, Stash and two monorepos from Phabricator have also been stolen along with secrets from sneakers. Employees who saw the post thought it was a goof, The Verge reports. And many cheerfully played along until it became clear that, in fact, the breach was real and potentially serious. Ars Technica thinks that the story the hacker tells is plausible and that while it's still not clear what the hacker gained access to, potentially, at least, it's quite a bit. WIRED reports that screenshots provided by the hacker suggest deep access, including access to OneLogin accounts. Uber has said there's no evidence that customer data was compromised. But as The Hacker News suggests, this may be a case in which the absence of evidence isn't evidence of absence. As Uber itself has said, the investigation is ongoing. 

Dave Bittner: Apparently, the self-identified 18-year-old who compromised Uber just kept at it - made themselves such a pest that people eventually caved in and forwarded MFA push-prompts in the hope that it would get them off their back. It's like a hacker's inversion of the parable of the persistent widow and the unjust judge, only in this case, the pest is unjust and the pestered are the righteous ones. The Jerusalem Post describes the pestering, stating, the hacker reportedly claimed that he had spammed an Uber employee with push notification login requests for over an hour before contacting him on WhatsApp while claiming to be from Uber IT and telling him that he would need to accept the request if he wants them to stop. The employee then accepted the request, allowing the hacker to log in to the employee's account and access the company's internal servers. 

Emotet and other malware delivery systems.

Dave Bittner: Researchers at AdvIntel have observed more than 1.2 million Emotet infections since the beginning of 2022. Most of the infections, around 35%, are located in the United States. The researchers also warn that the Quantum and BlackCat ransomware groups are now using the malware distribution botnet following the breakup of Conti in June 2022. The researchers state, the observed botnet taxonomy attacker flow for Emotet is Emotet to Cobalt Strike to Ransomware Operation. What this means is that currently the way that threat actors primarily utilize Emotet is as a dropper or downloader for a Cobalt Strike beacon, which deploys a payload allowing threat actors to take over networks and execute ransomware operations. BleepingComputer adds that significant spikes in Emotet activity were observed by both AdvIntel and ESET in 2022. According to Check Point's visibility, however, the FormBook info stealer replaced Emotet as the most prevalent malware strain in August 2022, followed by the AgentTesla Trojan, the XMRig cryptominer and the Guloader downloader. Meanwhile, AlienBot, Anubis and Joker were the most common mobile malware strains. 

Belarusian Cyber Partisans work against the regime in Minsk.

Dave Bittner: The Cyber Partisans continue to operate as domestic opposition to the government of Belarusian President Lukashenka. Their activities, as described in an overview by the Record, have principally involved embarrassing the regime through doxing, with amplification of discreditable information through internet memes and rough animation that's reminiscent of "South Park's" visual style. From the Record's reporting, although made up mostly of young tech specialists and activists, the Cyber Partisans resemble an amateur intelligence service. They have a political agenda, clear goals and put a lot of effort into collecting and analyzing sensitive data. A Bloomberg report earlier this summer described the Cyber Partisans as having taken hacktivism to the next level. 

Dave Bittner: The Record puts the Cyber Partisans number at about 60 and describes them as, for the most part, self-taught. Their approach suggests the lines along which hacktivism might successfully be conducted. The goal is embarrassment. The means are doxing and ridicule, not demonization, supplemented by selected attacks against the regime's infrastructure. Ridicule is probably more productive against an authoritarian regime that depends upon fear and the projection of strength as its surrogate for legitimacy. And on target selection, the Cyber Partisans are notable for their ability to pick both high-value targets and to attack them in a discriminating fashion. They look for targets whose disruption interferes with crucial operations of the regime, and they see their cyberattack against Belarusian rail traffic as a good example of this. It interfered with the movement of Russian material through Belarusian networks to invasion forces in Ukraine. 

Risky piracy sites.

Dave Bittner: Today, of course, is International Talk Like A Pirate Day, maties. Have you fed the parrot and finished your holiday shopping? We have, except we don't actually have a parrot. And talk, if you will, like a pirate, but stay off the piracy sites. The Digital Citizens Alliance, in partnership with White Bullet and Unit 221B, released a report detailing piracy sites and advertising. Malware has also been found on piracy sites and advertisements targeting users. Researchers found that those who visited piracy sites were exposed to an estimated 321 million malicious ads in the span of one month. That's a lot of booty, me hearties. Or shouldn't that be, you hearties? It must have been tough to communicate on the Spanish Main and the High Barbaree. Argh. 

Dave Bittner: Coming up after the break, Grayson Milbourne of Webroot on the arms race for vulnerabilities. Rick Howard continues his exploration of cyber risk. Stay with us. 

Dave Bittner: And it's always my pleasure to welcome back to the show the CyberWire's own Rick Howard. He is our chief security officer and also our chief analyst. Hello, Rick. 

Rick Howard: Hey, Dave. 

Dave Bittner: So in the CyberWire Slack channel this week, you were crowing that you finally figured something out. Now, that in itself is worth noting. 

Rick Howard: (Laughter). 

Dave Bittner: But... 

Rick Howard: Yeah, first time this year. (Laughter). 

Dave Bittner: Well, if I recall, several "eurekas," in quotes, were involved. So fill us in here, Rick. What's going on? 

Rick Howard: Well, guilty as charged. And I really do think I am onto something here, OK? You know that one of my main cybersecurity first principles that I talk about a lot is forecasting cyber risk. And you and I have talked about it many times, right, Dave? And I can see your eyes rolling already (laughter). 

Dave Bittner: (Laughter). 

Rick Howard: That's the way my wife looks at me when I talk about this stuff. And I think the one thing that we can all agree on is that this is really hard to do. I mean, the Cybersecurity Cannon Project is full of hall-of-fame and candidate books that talk about it, like "How to Measure Anything in Cybersecurity Risk" by Hubbard and Seiersen and "Measuring and Managing Information Risk" by Freund and Jones. And there are many more. And they're all great primers for learning how to think about cyber risk. 

Rick Howard: But my main complaint over the years about all of those books is that they didn't have that last chapter that explained how to do it from top to bottom. That was always left as an exercise for the reader. So for the past decade, I've been trying to figure it out. And I think I got it. I think I've finally figured it out. So for this week's "CSO Perspectives" Pro episode, I walk everybody through two examples about how to calculate cyber risk. And the good news here is that the math isn't that complicated - you know, some basic math, some basic addition and subtraction and a little division. And then once you know what the probability of material impact is for those organizations, we talk about what you do with that information. How do you convey it to the board and assess the leadership team's risk tolerance and set a course to decrease that risk if necessary? 

Dave Bittner: All right. Interesting. Well, that is on the Pro side. What are we talking about on the "CSO Perspectives" public side this week? 

Rick Howard: Yeah. That's one of my favorite topics. I do a deep dive on the MITRE ATT&CK framework through the lens, though, of a senior cybersecurity executive. So most analysts know what the MITRE ATT&CK is. This show explains to the executive why it's important, why they should know about it, and what they should be asking their infosec teams so that they can be good at it. 

Dave Bittner: Well, last but certainly not least, what is the phrase of the week on your "Word Notes" podcast? 

Rick Howard: This week's phrase is MFA prompt bombing - and try to say that three times real fast, OK? That'll be a disaster. This is a relatively new hacker technique that is able to skirt multifactor authentication systems and has been seen in the wild used by cybercrime groups like LAPSUS$ and cyber-espionage groups like APT29 or Cozy Bear. 

Dave Bittner: All right. Well, lots to listen to this week. Rick Howard, always a pleasure speaking to you. You can find out more about CyberWire Pro over on our website, thecyberwire.com. Rick, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I am pleased to welcome to the show Grayson Milbourne. He is security intelligence director at OpenText Security Solutions. Grayson, it's always great to welcome you back to the show. 

Grayson Milbourne: Yeah. Thanks, David. I'm really happy to be here. 

Dave Bittner: So I want to talk today about vulnerabilities and particularly the sort of complex ecosystem that exists in terms of, you know, folks tracking down vulnerabilities, bug bounties, all that kind of stuff. I'm really looking forward to hearing your insights on this. 

Grayson Milbourne: Yeah. Well, I mean, I think, you know, vulnerabilities over the past 10 years have been discovered sort of on a parabolic curve in that each year we're finding, you know, many more than double the amount of vulnerabilities discovered in the previous year. And I think this makes sense in a lot of ways in that we have a world that is really defined by software. And software is part of everybody's everyday life and interaction. And more and more software is being developed, right? And so we have the future of IoT and, you know, convenience devices and medical IoT. And so I think there's just - you know, there's an enormous type of new software being developed, which, again, creates a lot of opportunities for mistakes. And as a developer myself, I can tell you that it's almost impossible to write bug-proof code on your first pass through. That's even working within a security mindset. 

Grayson Milbourne: And so I think what we see is that it's not malicious actions by developers trying to create buggy code. It's just that coding can be quite complex. And if you don't take into account, you know, the thoughts of a hacker, you might make a mistake in your development process or how you architect things that can make you vulnerable. And in fact, this is exactly what happens because, you know, we're discovering more and more than ever before. And some of these are really, really wide impacting. And so I think you probably remember from January this year when we had the Log4j vulnerability disclosed and, you know, just how many things were impacted by that. And so I looked at that as one of the examples of, you know, when a vulnerability can go very wrong. The reality is almost all software can be vulnerable. And if somebody picks it apart long enough, they might very well find a flaw. And so that process continuously goes on. 

Dave Bittner: Where does that leave us in terms of incentives? You know, because we have - you know, obviously, there are the developers who are trying to make their software as secure and bug-free as possible. But now we have a whole other group of people who are trying to hunt these things down - some of them for bug bounties, some of them who are up to no good. 

Grayson Milbourne: Yeah. And I think, you know, this is sort of where we've watched a unfortunate transition over the past - I would say, when bug bounty programs first were introduced, you know, several years ago, seven or eight years ago, you know, they were - I think they were a really great initial idea to try to get some of the larger companies like Google. Like, Google wants you to turn over that remote code execution, Chrome zero day that you've discovered, and they'll willingly pay you $100,000. And, you know, that might sound like a really good deal. But as a researcher, if I spend 100 hours doing that - OK, maybe that's, like, $1,000 an hour. That's not a bad payday. But the value of this, you know, isn't maybe accurately reflected when black hat organization might pay me half a million dollars. Or a government - you know, the government might pay me even more. And it depends. 

Grayson Milbourne: I can't say, like, you know, the United States government is different from every other government. And we see different interactions with governments and their population with respect to how disclosing vulnerabilities occurs. You know, we can look at China, for example. And, you know, China has a law that says if you discover a vulnerability within your software and it's disclosed to you, you have to disclose it to us, as well. And, you know, then what happens from there? 

Dave Bittner: Right. 

Grayson Milbourne: And, you know, if you look back at Log4j, Log4j was actually a Chinese company that discovered it, but they disclosed it to Apache. And there's some fuzziness around this. But, you know, it seems like they may have been sanctioned by the Chinese government for disclosing what, you know, has been the largest vulnerability, you know, disclosed in, you know, at least a couple of years. 

Dave Bittner: Right. 

Grayson Milbourne: So - and, you know, so this is this conflict of interest, right? Like, the internet is safest when mistakes are disclosed and fixed. And it undermines security for everybody when you have a bidding war between black hats and governments. You know, I think the bidding war is fine on the side of the software developer, the person who owns the software that has the vulnerability. The thing is, their pockets just aren't often very deep, comparatively. So you know, if you're a researcher, and profiting from your time and investment into discovering these things is most important to you, you know, the offending software vendors is not always at the top of your list. 

Dave Bittner: Where do you suppose we're headed here? I mean, are we seeing advances in software, advances in hardware? Or are there - is there automation that's helping us along the way here? 

Grayson Milbourne: Yeah. So you actually touched on some really great points there. Hardware is one of the ways that we can get around some of these vulnerabilities just because a lot of times, it's a logical misstep. And so one good example of this is Intel's 11th-gen processor comes with a variety of additional security enhancements. But the one that really piqued my eyes is their total memory encryption technology. And this takes - tackles memory corruption or memory access vulnerabilities, which are often some of the most dangerous ones. Like, these are vulnerabilities that can allow me to, for example, capture your cryptography key and steal that out of memory space that it should be protected in, you know, allowing me to decrypt communications. So, you know, they tackled this from a hardware perspective, not a software perspective. So you know, by just this one change, more than 50% of last year's disclosed vulnerabilities were in this category. Now, that's great. But when is everybody getting the free update? You know... 

Dave Bittner: Right. Right. 

Grayson Milbourne: ...Microsoft - you know, Microsoft sees the problem, and they're like, hey, Windows 7 has problems. We don't want to invest anymore there. We're giving away the upgrade to 10 for free. Unfortunately, with hardware, hardware doesn't work in the same fashion. So you know, this is a really great thing, and I'm excited for what this means 10 years from now. But in between now and then, we have to look towards technology. And I think this is an emerging area of technology, which is just security by design. But that's hard to push into nonsecurity environments. And so kind of if I go back to my IoT example, and I've just made - I don't know - the next smart gadget, you know, how much am I really dedicating in my development life cycle to the security hardening of my application and my device? You know, that might be a cost that if I realize it, I don't achieve success. And so you often see, again, there's this conflict of, you know, well, I know there is probably a better way to do it, but what time and resources do I have to achieve that? 

Dave Bittner: Right. Right. All right. Well, it's interesting stuff for sure. Grayson Milbourne, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brendan Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.