The CyberWire Daily Podcast 11.17.22
Ep 1706 | 11.17.22

Privileged insiders and the abuse of “Oops.” Nemesis Kitten exploits Log4Shell. TrojanOrders in the holiday season. Emotet’s back. RapperBot notes. And an arrest in the Zeus cybercrime case.


Dave Bittner: Meta employees and contractors compromised customer accounts. Nemesis Kitten is found in U.S. government networks. Unpatched Magento instances are hit with TrojanOrders. Emotet has returned after three quiet months. DDoS attacks in game servers by RapperBot. Carole Theriault looks at long-term lessons learned from the 2019 Capital One breach. FBI Cyber division AD Bryan Vorndran updates us on cyberthreats. And an alleged Zeus cybercrime boss has been arrested in Switzerland.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 17, 2022.

Meta employees, contractors compromised customer accounts.

Dave Bittner: The Wall Street Journal this morning reported that Meta Platforms, parent company of Facebook, found that some employees and contractors were apparently involved in selling outsiders access to customer accounts. The Journal says that Meta, in the course of an internal investigation, fired or disciplined more than two dozen employees and contractors over the last year whom it accused of improperly taking over user accounts, in some cases allegedly for bribes. Some of the employees believed to have misbehaved had done so through the access they'd been granted to Meta's program, internally called Oops, used to help customers who are having trouble with their accounts, assisting them with forgotten passwords or account hijacking.

Dave Bittner: In some cases, workers took thousands of dollars in bribes from outside threat actors to compromise the accounts. Oops is supposed to be limited to friends, family, business partners and public figures. But as Meta's employee headcount has grown, so has Oops' usage. Meta is working to rein in the use of Oops and its attendant abuse, but it's not an easy problem to overcome. It's an interesting case of the larger challenge of privilege abuse, and it will be interesting to see the steps Meta takes to bring the problem under control.

Nemesis Kitten found in US Government network.

Dave Bittner: CISA and the FBI released a joint cybersecurity advisory yesterday on Iranian government-sponsored APT actors compromising a federal network. The threat actor, Iran's Nemesis Kitten, exploited the well-known Log4Shell vulnerability to infiltrate a VMware Horizon server in February and move across the network. BleepingComputer reports that the attackers deployed a cryptocurrency miner, as well as reverse proxies on compromised servers to remain within the network. The Washington Post  identified the affected agency as the U.S. Merit Systems Protection Board. SecurityWeek notes that CISA and the FBI have published indicators of compromise to help potentially impacted organizations find infection, with the mindset that there has already been a compromise. The agencies say in their advisory, all organizations with affected VMware systems that did not immediately apply available patches or workarounds should assume compromise and initiate threat hunting activities. If signs of compromise are found, connected systems should be investigated and privileged accounts especially should be audited.

Unpatched Magento instances hit with "TrojanOrders."

Dave Bittner: At least seven Magecart gangs are hitting vulnerable unpatched instances of Magento 2 and Adobe Commerce with TrojanOrders, researchers at Sansec report. The bogus orders are placed to establish persistence on the affected system. Once that's achieved, the criminals can execute further criminal actions, usually customer credential and pay card theft. This kind of exploitation had been difficult, but exploits have been traded in criminal-to-criminal markets, and their prices have recently fallen from $20,000 to $30,000 to roughly $2,500, according to BleepingComputer. The potential rewards are greater as well as the holiday season approaches. Sansec expects TrojanOrders to crest as the shopping season begins to peak with Black Friday at the end of next week. Patches are available for the vulnerabilities undergoing exploitation, but Sansec estimates that about a third of Magento and Adobe Commerce systems remain unpatched. And even in some patched systems, attackers may have achieved persistence before the patches were applied. 

Emotet has returned after three quiet months.

Dave Bittner: Proofpoint yesterday offered a look at the return of Emotet, whose major distributor, TA542, resurfaced this month after having been quiet since July. The botnet has been observed dropping IcedID, and researchers think Emotet is returning to its full functionality, acting as a delivery network for major malware families. The botnet's targets have been widespread, with high volumes of spam hitting the United States, the United Kingdom, Japan, Germany, Italy, France, Spain, Mexico and Brazil. The researchers conclude, overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet. The addition of commands related to IcedID and the widespread drop of a new IcedID loader might mean a change of ownership, or at least the start of a relationship between IcedID and Emotet. 

DDoS attacks in game servers by RapperBot.

Dave Bittner: Game servers have been the target of activity by RapperBot, Fortinet's FortiGuard Labs researchers report. DDoS attacks have been detected in game servers. FortiGuard Labs researchers reports RapperBot had been seen in campaigns earlier this year. There are signs that some Mirai source code is being reused. Bleeping Computer reports that Fortinet believes all RapperBot campaigns are done by the same threat actors with newer variants sharing source code. Reportedly, the C2 communication protocol is the same. Credentials used have been the same since August 2021, and there are no signs of campaign overlaps. 

Alleged "Zeus" cybercrime boss arrested in Switzerland.

Dave Bittner: And finally, we've all heard and heard a lot about the general surprise aroused by Russian cyber operators' failure to show up in Moscow's hybrid war against Ukraine. The latest comment on this, if you'll indulge us for a moment, came this week from the U.S. Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang, who observed to the Aspen Institute that Moscow's cyber operations have underperformed prewar expectations. The Hill quotes her as saying, I think we were expecting much more significant impacts than what we saw. I think it's safe to say that Russian cyber forces, as well as their traditional military forces, underperformed expectations. She thinks that the evidence shows Russia to have been unprepared for an unexpectedly protracted war. 

Dave Bittner: But the hoods on both sides of the Russo-Ukrainian border have managed to stay in the news. KrebsOnSecurity reports that Vyacheslav Penchukov, who goes by the hacker names Tank and Aqua, a Ukrainian cybercriminal and sometime DJ, was taken into custody by Swiss police in Geneva. He now faces extradition to the United States. The charges he faces, according to the record, pertain to a wide-ranging racketeering enterprise and conspiracy, who infected thousands of business computers with malicious software known as Zeus. He's been associated with the Russian cyber mob boss, Evgeniy Mikhailovich Bogachev, who's been wanted by the U.S. FBI since his indictment in 2012. Mr. Penchukov is alleged to have run the Ukrainian branch of Mr. Bogachev's Zeus operation. Mr. Penchukov is in custody, but Mr. Bogachev remains out there in the wild, last seen aboard his yacht in the Black Sea rocking his tracksuit and holding some exotic cats. 

Dave Bittner: Coming up after the break, Carole Theriault looks at the long-term lessons learned from the 2019 Capital One breach. FBI Cyber Division AD Bryan Vorndran updates us on the latest cyber threats. Stick around. 

Dave Bittner: Our U.K. correspondent Carole Theriault returns with a look at the long-term lessons learned from the 2019 Capital One breach. She files this report. 

Carole Theriault: So back in 2019, Capital One told the world that someone gained unauthorized access and stole files containing the personally identifiable information of customers and credit card applicants. And this data was a treasure trove. It included payment history, contact info, credit scores and Social Security numbers. Now, Capital One said it immediately fixed the issue and alerted the FBI, but it was still one of the largest financial data breaches to date. I mean, it reportedly affected more than a hundred million customers in the U.S. and Canada. And it was an anonymous email sent to Capital One that fueled the FBI's investigation in July 2019. And it led to the arrest of Paige A. Thompson, a 36-year-old Amazon tech worker. And just this past June, a jury in the U.S. District Court of Seattle found Thompson guilty of wire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer. 

Carole Theriault: Now, according to the DOJ press release, quote, "using Thompson's own words and texts and online chats, prosecutors showed how Thompson used a tool she built to scan Amazon Web service accounts to look for misconfigured accounts. She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank. With some of her illegal access, she planted cryptocurrency mining software on new servers, with the income from the mining going to her online wallet. Thompson spent hundreds of hours advancing her scheme and bragged about her illegal conduct to others via online and text forums," unquote. 

Carole Theriault: So did you see that? It's not like she's some mastermind genius. She went around scouring, looking for misconfigured AWS servers. And just look at the damage she caused - a hundred million people affected. We're talking stolen credit card details, social insurance numbers, a bunch of private information that you don't change very often, if at all, in your lifetime, and with an end goal of getting some secret crypto mining thing going. 

Carole Theriault: So what can we take away? What can we learn from this? - is to make sure that our configurations are set the way we want them to be. Think about all the myriad of software that you're running at home or at work. Like, every time there's an upgrade, configuration options might change and - or be added, and they may just set those to a default setting, expecting you to review it. Well, maybe meet that expectation. Because in the end, while Capital One was hurt - the company was fined 80 million and settled customer lawsuits for 190 million - the people whose information has been stolen are the ones that really pay the price. So that is today's takeaway. Review your configuration settings and make sure only authorized people can access your data treasure troves. This was Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by FBI Cyber Assistant Director Bryan Vorndran. Director Vorndran, welcome back. I want to touch base with you today on some of the threats that you all are tracking, particularly the cybercriminal threats. What do you have to share with us today? 

Bryan Vorndran: Thanks, Dave. It's good to be here with you. You know, specifically towards ransomware, the criminals behind ransomware attacks are almost wholly based in Russian-speaking countries. And it's important to know that they operate as organized crime syndicates, similar to what we would have thought of as traditional organized crime elements. Quite frankly, they're fantastic entrepreneurs and have successfully lowered the barriers of entry through ransomware-as-a-service. And I'll explain what that means here in a minute. But there's really four key services to their business model. One is infrastructure. The second is communication. The third is malware. And the fourth is obviously transactional currency. 

Bryan Vorndran: But specific to the malware key service, very, very highly skilled malware coders are developing more and more sophisticated malware, and they have what we refer to as an affiliate model. And that affiliate model allows less technically skilled criminals, who are obscured from the enterprise or who are obscured from these heavily skilled malware coders - and those affiliates deploy their sophisticated malware for their personal gain, and then they pay a percentage of their proceeds back to the highly skilled malware coders. So it really does cordon off the most talented enterprise leaders from the affiliates, and they're essentially on a lease model for their malware. It's a very, very productive model for everybody involved. But all of those people involved are obviously criminals. 

Bryan Vorndran: You know, as you know, ransomware is an attack on the availability of your systems and data. And an organization's goal should be to prevent these attacks. It's not about detection and eviction. It truly is about prevention. And those prevention efforts should be commensurate with acceptable downtime. And those acceptable downtimes need to be made at the organizational level. So if an acceptable downtime is, for example, one day, increasing prevention efforts should be a high priority. Without taking those effective steps in advance of a breach, an organization can find themselves obviously wholly reliant on the honesty and the integrity of criminals to get their data back or to get their systems decrypted. 

Bryan Vorndran: You know, it's also highly predictable that ransomware actors will eventually move towards multilingual ransomware-as-a-service software platforms. So if you think about it, you know, they've obviously scaled their model in terms of Russian-speaking countries, but there's other talent globally. And a natural endeavor for them would be to scale into multilingual platforms to leverage other countries and the criminals in other countries. But I do think, Dave, it's really important to talk about target identification. And ransomware actors evaluate really three key things. First, who is easily targetable? Second, who is likely to pay based on brand damage? And finally, who will pay the most? So let's put this in industry standard terms. Who doesn't have good net defense? Who has a high willingness to pay? And who will suffer the most economic impact from the encryption of key systems? 

Bryan Vorndran: You know, ransomware attacks are increasingly coupled with data theft, and this is a very normal and present trend right now. We refer to that as a double extortion model or data theft and harassment of the victims and company officials, which we would call a triple extortion. So I'll go a little bit deeper on those. So double extortion would mean that a ransomware actor encrypts your system and also steals the data and threatens to release it publicly. A triple extortion model would be, again, encrypts your data, steals your data and then attacks your systems through a DDoS attack or makes harassing phone calls to employees, executives, customers or family members. And those are becoming more and more prevalent. And I just want to touch on one other note before we round out this question. You know, when companies choose to pay to prevent the leak of data, it's important that those companies understand that they're paying to prevent the leak of data right now, and they should undoubtedly expect to be extorted again in the future to prevent another release of data. So I appreciate the question. It's obviously a very important topic to us. 

Dave Bittner: Can you give us some insights on ideal interactions between you and your colleagues there at the agency? When someone comes to you and says we've been a victim of ransomware, how does that work? 

Bryan Vorndran: Dave, it's a great question. And when we talk about this, we really split the relationship building into three phases. And those phases are before an intrusion, during an intrusion and after an intrusion. And the before the intrusion phase is the most important because it's then that we build trust with an organization, whether that's a nonprofit, a for-profit or an education institution or anything else. It's important to build trust. But it's also important to set expectations. And by setting expectations, I do not mean, what does the FBI need? I actually mean just the opposite. 

Bryan Vorndran: The company often wonders, what can the FBI do? What can the FBI not do? What should the company do? What should the company not do? How does the company want the FBI to engage with them during a moment of intrusion? For example, do they want the FBI to engage through a natural, trust-based relationship that's already in place, or do they want us to engage through their retained counsel during an intrusion? But that before intrusion phase of relationship building is so, so important. And it's been my experience that when engagement during intrusions don't go well between the FBI or a company or the company and the FBI, it's likely because we haven't spent enough time together before the intrusion. 

Bryan Vorndran: But during the intrusion, you know, our message is very simple. We're there to help. That opens the gateway to the bureau's resources. We can open the gateway to the U.S. government resources. We've been asked to help with media in the past during an intrusion, and we're happy to do that. We've been asked to do a host of other things that are not technical, and we're happy to do that. But at the end of the day, there is information, intelligence and evidence that a company likely has as a result of their intrusion. And we would hope that there would be a sharing of that at an appropriate time. It's very seldom that we need all that right away. There is a need to quickly share virtual wallet information and things of that sort because that's tactical and tangible intelligence that we can move on. So hopefully, Dave, those give you and your audience some thoughts on what that engagement would look like. 

Dave Bittner: And from a practical level, is this a matter of reaching out to your local FBI field office? 

Bryan Vorndran: It really is. It really is. You know, probably the biggest strength the FBI has is 56 field offices, 300 different resident agencies. And so we do have people everywhere. And we would really encourage your audience to get in touch with their local FBI field office and at least introduce themselves to the right folks on the cyber squad in that field office so that should something happen, those relationships are already in the process of being built. 

Dave Bittner: All right. Well, FBI Cyber Assistant Director Bryan Vorndran, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you all back here tomorrow.