The CyberWire Daily Podcast 11.15.22
Ep 1704 | 11.15.22

An update on three threat actors: Fangxiao, Killnet, and Billbug, one of them in it for money, another for the glory, and a third for the intell. Twitter and SMS 2FA. Zendesk patches. CISA adds a KEV.


Dave Bittner: Fangxiao works ad scams en route to other compromises. Killnet claims to have defaced a U.S. FBI site. CISA registers and other known, exploited vulnerabilities. Difficulties with Twitter's SMS 2FA. Zendesk vulnerabilities have been discovered. Joe Carrigan explains registration bombing for email addresses. Our guest is Miles Hutchinson from Jumio with insights on defense against sophisticated ransomware attacks. And Billbug romps through Asian government agencies.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Tuesday, November 15, 2022. 

Fangxiao works ad scams enroute to other compromises.

Dave Bittner: Cyjax has published a report on Fangxiao, a Chinese threat actor apparently motivated by financial gain as opposed to espionage. It relies on phishing baited with spoofed domains of legitimate companies to spread adware. It also appears to be implicated in mobile malware distribution. Cyjax writes, we assess that Fangxiao is a Chinese-based threat actor likely motivated by profit. The operators are experienced in running these kinds of impostor campaigns, willing to be dynamic to achieve their objectives and technically and logistically capable of scaling to expand their business. 

Dave Bittner: So Fangxiao makes money en route to whatever it gets ultimately from compromised systems by fees for referrals. Tripwire, which has also looked at the scam, explains how it works. They say, with a U.K. IP address and Android user agent, the researchers were led to multiple domains before receiving a malicious APK. This file is identified by VirusTotal as Triada, an Android malware, and then comes a connection to an Amazon affiliate. With an IP address from the United Kingdom and an iOS user agent, the site went to an Amazon affiliate link. This permits whoever handled the final reroute to receive a commission on every Amazon purchase made using the same device for the next 24 hours, which may represent a substantial source of income. 

Killnet claims to have defaced a US FBI site.

Dave Bittner: Newsweek reports that Killnet, the hacktivist group serving as a Russian auxiliary, claimed to have defaced a website belonging to the U.S. FBI. If it happened at all, it was a very brief episode, with no credible observers saying they'd seen it. The claim, however, itself represents a small nuisance in the information operations Killnet and other Russian organizations have fitfully waged against Ukraine and countries sympathetic to Ukraine's cause. Killnet and other Russian auxiliaries have over the past month proven relatively indifferent to whether or not they've actually achieved the kind of access or disruption they've claimed. It's the claim, the friction induced in the opposition, not the reality of the attack that matters. 

CISA registers another Known Exploited Vulnerability. 

Dave Bittner: CISA has added a new item to its Known Exploited Vulnerabilities Catalog. Federal executive civilian agencies have until December 5 to look for, fix and report action on CVE-2022-41049, a Microsoft Windows Mark of the Web security feature bypass vulnerability. The remediation is, as usual, to apply updates per vendor instructions. 

Difficulties with Twitter's SMS 2FA system. 

Dave Bittner: Numerous Twitter users are reporting problems with the platform's two-factor authentication system. WIRED has a  summary of what's been going on, stating, some users are reporting problems when they attempt to generate two-factor authentication codes over SMS. Either the texts don't come, or they're delayed by hours. That functionality may be among the bloatware Twitter's new owners say they're interested in purging from their service. Twitter's help center still indicated this morning that two-factor authentication remains available. And WIRED and others note that SMS is not the best form of multifactor authentication available. 

Zendesk vulnerability discovered. 

Dave Bittner: Researchers at Varonis have discovered a vulnerability in the customer support product Zendesk that could have allowed attackers to access customer accounts. The researchers found a SQL injection vulnerability and a logical access flaw that affected the product's reporting and analytics tool, Zendesk Explore, which is disabled by default. The researchers state that, the flaw would have allowed threat actors to access conversations, email addresses, tickets, comments and other information from Zendesk accounts with Explore enabled. Varonis explains, to exploit the vulnerability, an attacker would first register for the ticketing service of its victim's Zendesk account as a new external user. Registration is enabled by default because many Zendesk customers rely on end users submitting support tickets directly via the web. Zendesk Explore is not enabled by default but is heavily advertised as a requirement for the analytic insights page. Zendesk promptly developed a patch for the flaw after Varonis notified them of the problem. Varonis says the vendor began working on a fix the same day they were notified. Zendesk fixed multiple bugs in less than one workweek with, it says, no customer action required. 

Billbug romps through Asian government agencies.

Dave Bittner: And finally, Symantec has found that a Chinese-state-sponsored threat actor compromised a digital certificate authority in an unnamed Asian country. The threat actor also compromised government and defense agencies in several Asian countries. 

Dave Bittner: The threat actor, which Symantec tracks as Billbug and is also known as Lotus Blossom or Thrip, likely targeted the certificate authority in order to sign its malware files, although it's not clear if Billbug was able to steal any certificates. 

Dave Bittner: The researchers say, the targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use then to sign malware with a valid certificate and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity. Symantec noted back in 2019 that Billbug is based in China, and its primary goal appears to be espionage. 

Dave Bittner: Coming up after the break, Joe Carrigan explains registration bombing for email addresses. Our guest is Miles Hutchinson from Jumio with insights on defense against sophisticated ransomware attackers. Stick around. 

Dave Bittner: The ongoing threat of targeted ransomware has left a lot of companies, particularly small and medium-sized businesses, struggling to keep up with what is frequently described as a nation-state level of attack sophistication. Miles Hutchinson is chief information security officer at identity verification and online mobile payments company Jumio, where he and his colleagues are on the front lines of this fight. 

Miles Hutchinson: More and more and more, we're seeing the tactics used by nation-state or state-sponsored attackers and the tactics used by organized crime groups that - traditionally, those two worlds were kind of apart. And more and more over the years, we've seen those worlds converge. So we're seeing the tactics used by both sides being very similar. And then where we are today? Everybody's ecosystem, technical ecosystem is such that we're all so reliant on so much technology in so many - you think of the variety of vendors that we have all got within our businesses. Everybody is susceptible to this in one way, shape or form. We're all either going to be directly targeted or indirectly targeted because we end up accidentally in the blast radius of somebody else's attack that's being directed their way. So, yeah, you can end up unfortunately being indirectly impacted by this just by association with a vendor that's on a hit list of a nation-state attacker. 

Dave Bittner: And how do you define a nation-state attacker - I mean, or I guess more specifically, the types of attacks that they generally use? Is it clear, or is there some fuzziness there? 

Miles Hutchinson: I think there's definitely some - as I said kind of before, I think historically, that used to be quite clear cut. And the targets that they - and the approach was a bit more obvious, that if you saw that type of approach, it was definitely that this is coming from a nation state, whereas these days you're seeing nation-state attackers and crime groups that they sponsor sharing tactics or using similar tactics. We're seeing - we saw - you know, many, many years ago, we saw that certain attack patterns that were coming out of the U.S. that were leaked but were then picked up and then made it out into the public domain and then also made it into attack packages that are used by other nations back on themselves, back on - you know, back on other nations as well. So I think the lines are blurred for sure. I think the lines are definitely blurred. And then, you know, that definition of, well, how do you know it's - you know, how do you attribute who it's come from? We are seeing that certain attacks coming from organized groups that are - when you lift the lid on it, it's - you know, all evidence kind of points towards this is a state-sponsored attack. It's extremely difficult to prove it, but the evidence - the weight of evidence suggests that a lot of these attacks are coming from groups that are being backed by nation-states. 

Dave Bittner: And so where does that put your average organization then, in terms of prioritizing their defenses? 

Miles Hutchinson: Yeah. Well, I think the good news on this is - from a priority point of view, the good news is if you're doing the basics, then I wouldn't say you've got nothing to worry about - right? - and equally, I wouldn't want to say you've got something to worry about. But if you're doing the right things at the right time in the right part of your business, then, come the day that the worst happens, you're prepared. And I think irrespective of who that comes from, be that - does that come from a nation-state, does that comes from organized crime group, or equally - equally, Dave, the other thing - does that come from yourselves because you've had an - you know, a cyber accident yourselves? The key point is if you've got the - cover the foundations. Cover the - get the foundations right. Make sure you understand what your business is. Make sure you understand where your most important data is. Make sure you understand where your most - you know, where all of your exposures are. And make sure, most of all, that you know what you're going to do come the day that something happens, so you're ready. 

Miles Hutchinson: So I'm not sure that - unless you're in the business of attacking other nations and unless you're in - you know, unless you're in kind of military or government, or you're in the business where every single minute of every single day, you know that you're being attacked like this, then you take a slightly different approach. But I think to your general enterprise business or small, medium-sized business that isn't in that category but could get caught up within it because of - by association with another vendor or by association with a marketing campaign or a customer that you've onboarded, I think if you got the basics covered, then that's going to stand you in good stead for whoever's coming your way. 

Dave Bittner: Are there any common shortcomings that you see, maybe - you know, some blind spots that organizations overlook? 

Miles Hutchinson: There's been a few years of people talking about, you know, ransomware is going up and up and up and up. We've seen it growing year on year. I think the stats in the last year, it has gone up again. I think it's gone up again by another 120% in the last year. And all of the - you know, the majority of where we're seeing attacks growing is all targeting the human. So the human risk is growing for sure. There's a - you know, the adage out there saying that the people are the weakest link. And I really don't buy into that at all. I just think people are the most targeted because the attack surface of the human is far, far wider, so better return. So, yeah, I think - shortcomings on this, I think it's making sure that you're protecting your humans within your business and the equipment that those people are using because by and large it's that equipment that's initially used. If you think of an attack, an attack doesn't have a - it's not all over and done with very quickly. It's typically a - these types of attacks that we're talking about, nation-state or sponsored, they typically are a fairly convoluted attack pattern. 

Miles Hutchinson: So it starts with a point of entry. You're then going to maneuver within the business and pivot to other parts of that business once you're inside them, until you get to a point where you've found something of interest to perform, you know, the payload or whatever it is that your intent is. So it's typically not just a - break through the front door and smash and grab and get out of there. It's normally quite a drawn-out process, but it usually starts with the person. And it usually starts with the person, the user's equipment. So that's one thing that a lot of companies could spend a lot more time on, making sure that they're protecting their humans and protecting the equipment that those humans are using. 

Dave Bittner: That's Miles Hutchinson from Jumio. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute, as well as Harbor Labs. Joe, it's always great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: So we were talking about some stuff over on the "Hacking Humans" podcast, which you and I co-host. And I got a message from our friend Dr. Christopher Pierson. He's CEO of BlackCloak. 

Joe Carrigan: Right. 

Dave Bittner: And he sent over some research that they had been doing - I guess a report that they put out about something called registration bombing for email addresses. And I thought it was worth mentioning here. What's going on here, Joe? 

Joe Carrigan: So our story on "Hacking Humans" comes from episode 218... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Where a listener named Bo wrote in about how he was the victim of a denial-of-service attack - what he called a human denial-of-service attack, where he received multiple emails, phone calls and text messages and, like, hundreds an hour. 

Dave Bittner: OK. 

Joe Carrigan: Tons of them. 

Dave Bittner: Just an avalanche. 

Joe Carrigan: An avalanche of these things. 

Dave Bittner: Yeah. 

Joe Carrigan: And in those emails and phone calls were information from his bank that somebody was using a cloned credit - or debit card to extract money from his bank account. 

Dave Bittner: OK. 

Joe Carrigan: And this research that Dr. Pierson sent over is akin to that. And I think Dr. Pierson listened to the "Hacking Humans" show... 

Dave Bittner: Yeah.

Joe Carrigan: ...And sent this over. But BlackCloak has this concept of registration bombing, which is kind of like automation of that attack. 

Dave Bittner: OK. 

Joe Carrigan: So what happens here is I'm a bad guy, right? So - and like bad guys, I often sign up for newsletters... 

Dave Bittner: Right. 

Joe Carrigan: ...Or maybe access to websites. 

Dave Bittner: OK. 

Joe Carrigan: And every time I do that, I notice that when I sign up for a Web site, they send me an alert that says, did you sign up for this email - this website? 

Dave Bittner: Right. 

Joe Carrigan: Please confirm by clicking on this link, and we'll validate your email address. Well, that's useful. A bunch of other websites do that, too. So if I want to obfuscate messages that somebody should be paying attention to, I'm going to create a bunch of noise. And maybe the messages that warn them of my malicious activity will be lost in that noise. So I automate the process and just have a bunch of bots start going out and registering for web sites. Those websites all send an email to this person's account, to my victim's account. And then while that's going on, I start conducting my fraud. So they get an email from their bank that says, We noticed that you just transferred $2,000 out of your bank account. And hopefully, the person doesn't see it. 

Dave Bittner: Because of all the noise. 

Joe Carrigan: Because of the other noise that's in there. 

Dave Bittner: Right. 

Joe Carrigan: It's actually a very creative attack. 

Dave Bittner: So I'm getting hundreds of emails flooding my box. 

Joe Carrigan: Right. 

Dave Bittner: And in the midst of that. The bad guys do their thing, hoping that I will miss the legit one from my bank or some retailer that I'm working with online, something like that. 

Joe Carrigan: Correct. 

Dave Bittner: How does one protect themselves against this? 

Joe Carrigan: This is a tough one, Dave. I've actually been thinking about this for a while because since Bo's story, I've been actually kind of concerned about this kind of attack. But I think I have a solution, and I haven't tried it yet. 

Dave Bittner: OK. 

Joe Carrigan: But what I'm going to do is I'm going to open up an email account just for my financial institutions that I deal with, right? Anything - anybody I have a credit card with or a bank account with, I'm going to say, my email address is now this. Please use this. 

Dave Bittner: OK. 

Joe Carrigan: And that way, they will send their emails to that address, which I can monitor on my phone or through my web browser or however, the key difference being that this is not an email I ever publish to anyone. 

Dave Bittner: I see. 

Joe Carrigan: Right? So nobody ever goes, Joe Carrigan - oh, he is, right? 

Dave Bittner: (Laughter) Right, right, right. 

Joe Carrigan: They'll do the Google search, and they'll find my OG Gmail account, and they'll go, oh, there's Joe's email. I can send him emails and pester him. Or maybe I can flood his inbox with a bunch of messages. But they'll flood my inbox with a bunch of messages, and I'll still get the email in the financial account in the - in, you know, Joe's banking - 

Dave Bittner: Yeah. What I'm wondering about, though - because I think some of this happens when credentials have been compromised. 

Joe Carrigan: Right. 

Dave Bittner: So say, for example, your banking credentials were compromised. That would mean they would have that unique email address, and they would start flooding that. 

Joe Carrigan: Ah. OK, that's a good point, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: So maybe that won't work very well. 

Dave Bittner: Well, but you would - I mean, I think you'd know the jig was up because... 

Joe Carrigan: Right. 

Dave Bittner: ...You shouldn't be getting email - newsletter registrations on your exclusive financial email address. 

Joe Carrigan: Correct. 

Dave Bittner: So that would be an indicator itself. 

Joe Carrigan: An indicator that something was going on. But getting thousands of those things in an hour would also be an indicator that something was going on. 

Dave Bittner: Yeah. 

Joe Carrigan: Even if it went to my regular Gmail address. 

Dave Bittner: Yeah, yeah. All right. Well, again, our thanks to Dr. Christopher Pierson from BlackCloak for sending this report over. The report is titled "New Registration Bomb Email Attack Distracts Victims of Financial Fraud." Worth checking out. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.