The CyberWire Daily Podcast 11.21.22
Ep 1708 | 11.21.22

Callback phishing offers to solve your problem (it won’t). Mustang Panda’s recent activities. DEV0569’s malvertising campaign. 10 indicted in BEC case. Developing a cyber auxiliary force.


Tre Hester: Luna Moth's callback phishing offers an unpleasant and less familiar form of social engineering. New activity by China's Mustang Panda is reported. DEV-0569 is using malvertising (ph) to distribute Royal ransomware. U.S. indicts 10 in a business email compromise case. Dave Bittner sits down with A.J. Nash of ZeroFox to discuss holiday scams. Our own Rick Howard speaks with us about cloud security. And folks, beware of Black Friday scams. From the CyberWire studios at DataTribe, I'm Tre Hester filling in for Dave Bittner with your CyberWire summary for Monday, November 21, 2022.

Luna Moth's callback phishing.

Tre Hester: Palo Alto Networks' Unit 42 is tracking a large callback phishing campaign they call Luna Moth. The criminals behind the operation are using legitimate tools to exfiltrate data with a view to using it for extortion of the data's owners. Unlike classic phishing, which tries to get the victim to execute a malicious package in the phishing email itself, callback phishing, as the name suggests, requires the victim to get in contact with the attacker. The attacker then uses social engineering to trick the victim into granting access to a system or transferring money. An email with a legitimate pdf pretending to be an invoice for an unwanted subscription is received, and instead of carrying malware, that PDF carries a callback phone number the victim is asked to contact. There's a kind of organizational two-step involved. 

Tre Hester: Palo Alto explains, quote, "the initial lure of this campaign is a phishing email to corporate email addresses with an attached invoice indicating the recipient's credit card has been charged for a service, usually for an amount under $1,000. People are less likely to question strange invoices when they're for relatively small amounts. However, if people targeted by these types of attacks reported these invoices to their organization's purchasing department, the organization might be able to spot the attack, particularly if a number of individuals report similar messages," end quote. 

Tre Hester: Once on the phone, the scammer will persuade the victim to allow permission to manage their device and cancel the subscription. Once they're in, the crooks steal data and proceed to familiar extortion - quote, "the phishing email is personalized to the recipient, contains no malware and is sent using a legitimate email service. These phishing emails also have an invoice attached as a PDF file. These features make a phishing email less likely to be intercepted by most email protection platforms," end quote. After exfiltrating the data, the attackers email the compromised organization and demand a ransom. The ransom amounts vary depending on the organization's revenue and range from around $30,000 to over $1 million worth of bitcoin. It will come as no surprise to learn that Unit 42 says the scammers don't always follow through with their promise to provide proof that the stolen data have been deleted - not that you'd trust any offer of proof, of course, but, you know, just in case a friend might ask. 

New activity by China's Mustang Panda.

Tre Hester: On Friday, Trend Micro described recent campaigns by Mustang Panda, or Earth Preta as Trend Micro calls it, a threat group associated with the Chinese government. The cyberespionage campaign abused fake Google accounts to distribute the malware via spear-phishing emails initially stored in an archive file and distributed through Google Drive links - quote, "these links served as lures to induce the victims to download malware that would be used against them in cyberespionage campaigns." Australia has been most heavily targeted, but Myanmar, Japan, Taiwan and the Philippines have also received a great deal of attention. 

Tre Hester: The current campaign, however, has not been confined to those countries. Its spear-phishing has been observed at lower levels in many other parts of the world. Mustang Panda appears to engage in extensive reconnaissance and to spend some time in getting the target to regard its persona as familiar. Most of the documents used as phish bait are written in Burmese, and the targets are overwhelmingly government agencies, especially those engaged in research. Three distinct malware strains are in use - PUBLOAD, a stager, TONEINS, an installer for backdoors, and TONESHELL, the principal backdoor deployed in the campaign. Sensitive documents stolen in earlier stages of the attack are subsequently repurposed as phish bait for subsequent phases. 

DEV0569 using malvertising to distribute Royal ransomware.

Tre Hester: Microsoft has identified a relatively young ransomware cluster of threat activity, DEV-0569, first noted in August, which is distributing the Royal ransomware strain using both malvertising, in this case malicious Google ads, and phishing as an infection vector. Recently DEV-0569 has been seen using malicious Google ads, a better way to blend in with ordinary ad traffic. Initial access to compromised accounts seem generally to be obtained via a BATLOADER-delivered Cobalt Strike Beacon implant. It's also been using NSudo, an open-source tool that has some success interfering with antivirus solutions. The methods are complex and innovative, but Infosecurity Magazine observes that they also bear some resemblance to Emotet operators' use of IcedID. We note in full disclosure that Microsoft is a CyberWire partner. 

US indicts ten for alleged BEC fraud against Medicare, Medicaid, and other health insurance programs.

Tre Hester: On Friday, the U.S. Department of Justice announced the indictment of 10 individuals on charges related to fraud that targeted Medicare, state Medicaid programs, private health insurers and numerous other victims. Specifically, the charges alleged wire fraud, business email compromise and money laundering. In the aggregate, victims lost, the DOJ says, some $11.1 million. The alleged fraudsters concentrated on diverting payments intended for hospitals. 

Developing a cyber auxiliary.

Tre Hester: Much of the attention given to Ukraine's methods for marshaling nongovernmental actors to its cyber defense has focused on the IT Army of Ukraine, effectively an auxiliary of regular government agencies. Recorded Future describes another aspect of that defense, direct assistance received from Western tech companies - quote, "dozens of companies from U.S. cybersecurity, threat intelligence in the tech world - from Mandiant to Microsoft - have banded together in a kind of volunteer cyber posse, wading into the middle of the conflict without a pretense of neutrality," end quote. The companies have organized themselves as the Cyber Defense Assistance Collaboration. And this mode of constructing public-private partnerships for cybersecurity, particularly in wartime, merits serious study to extract lessons learned. 

Shopping season is also scam season.

Tre Hester: And finally, attention, shoppers. Black Friday is, by tradition, this Friday, the day after the U.S. Thanksgiving holiday. It's when many American consumers start their holiday shopping in earnest. And the darkness imputed to the day comes, we think, from the grim experience of shoppers throwing elbows at brick-and-mortar doorbuster sales. And, the somewhat more recent tradition, Cyber Monday, follows three days later, and people go online for the same purpose, only the elbows are being thrown virtually. Both days have swollen into weeks, driven by season creep and marketing imperatives, but they do tend to peak on their customary dates. But online scammers haven't waited, however, and they've been preparing their fraud for well over a month. So friends, be wary and be alert. Shoppers, if it sounds too good to be true, well, it probably is. 

Tre Hester: Coming up after the break, A.J. Nash from ZeroFox discusses holiday scams, and our own Rick Howard speaks with us about cloud security. Stick around. 

Dave Bittner: Hard to believe the holidays are upon us, which for many means getting together with friends and family and shopping online for gifts for loved ones. A.J. Nash is vice president of intelligence at ZeroFox, and I checked in with him for insights on the types of online fraud activity he and his colleagues are tracking. 

A.J. Nash: This year in particular, when you're dealing with an economy that's been challenging, so people are more inclined to believe the not-believable deal than they might in some years because people are really trying to get a great deal - a lot of folks are. So you have that combined with some challenges in the social media space with validation and verification of companies, of people. That's a really dangerous situation in terms of being defrauded. So, you know, we always talk about, you know, if it's too good to be true, don't believe it. That's, you know, old advice. I think our parents have told us that since we were kids. 

Dave Bittner: (Laughter). 

A.J. Nash: But we talk ourselves out of that sometimes, you know? And, you know, certainly I don't think anybody is going to buy a Ferrari for $15 on the internet. But, you know, that $150 item that is the hot item this year that your kids or your significant other really, really wants, you might convince yourself $40 is possible now, whereas it's probably not. So I think that opens the door for more opportunities for criminals, unfortunately. And so they're going to leverage social media. They're going to put out advertisements that are false advertisements that are - might be tied to social media accounts that look valid. They may even have that advertisement that takes you to a link to another website that looks valid. It's not that hard to set up a website that looks legitimate and buy a domain that looks like it's the right domain but has a slight typo in it. Or they used a lowercase L, you know, instead of an I or something like that. And then they're going to steal your information. You know, that's... 

Dave Bittner: Yeah. 

A.J. Nash: ...What it comes down to. Criminals, you know, steal your information, or they're going to, you know, steal your money and sell you something that doesn't exist. So I think we're going to see - unfortunately, I think it's going to be a pretty big year for criminals. It's a big year for retail, and I think it's going to be a big year for criminals as a result. 

Dave Bittner: What about the platforms themselves? You know, I'm thinking of places like Facebook Marketplace or eBay or even Amazon itself. I mean, have - what sort of progress have you seen them making, if any, year over year when it comes to tamping down on some of these fraudulent actors? 

A.J. Nash: Yeah, that's a great question. And all of those environments have fraud, but all of those environments have put a lot of effort in it. Those companies have worked very hard at this. You know, they've partnered with companies who are focused on this and work diligently to bring these down. The problem is just a matter of volume. You know, Amazon is the world's largest retailer. For all of their efforts, there's going to be some things that consumers still have to look for. You know, it's just the nature of it. But I would say I personally have seen great improvements from all the companies you just mentioned. They've invested heavily, for what it's worth, I hope I'm allowed to say that, in intelligence and in cybersecurity and in counter-fraud technologies. They're always looking for a new way to identify fraud and take action, you know, up to and including, you know, law enforcement. You know, these companies know this impacts their business. So it's really in their best interest to keep fraud to a minimum on their sites. 

A.J. Nash: I mean, most cases, the folks I've talked about - or talked to about this, they actually care about the customers, like, genuinely. I know people might be surprised to hear that. It's not just about making money. The folks we talked to want customers not to be defrauded because those customers include their family and their friends and everybody they know, too. So it matters. And I've seen a lot of efforts by all the companies you were talking about to really go heavily into this space, to invest in resources internally, to partner with - you know, with great companies who are capable of rooting these things out and again, to take actions, you know, to really go to the far end to try to prosecute when possible, especially for some of the larger criminal enterprises, criminal rings of fraud. They're going at it pretty hard. These companies care about this. But as a consumer, we have to understand it's still going to exist. You know, the companies have to do the best they can. And their due diligence, I believe, exists. But as consumers, we still have to look, too, and be careful and understand, you know, the signs of a scam. You know, we have some responsibilities, too. 

Dave Bittner: You know, as the holidays approach, a lot of us will be getting together with our families and our friends. And I think a lot of those folks rely on us for expertise when it comes to these things - these things that they consider to be technical, things like online shopping and online fraud and all that sort of stuff. Any words of wisdom there in terms of the messages that we should be sharing with our less technically savvy loved ones? 

A.J. Nash: Yeah. I mean, that's a great question, right? Every time I visit family, first, I have to explain to them how I can't actually fix their computer 'cause that's not what I do. But... 

Dave Bittner: (Laughter). 

A.J. Nash: ...You know, I'm sure everybody has that, too. It's just - some things are just settings, you know? How do I make the volume a different sound... 

Dave Bittner: Right. 

A.J. Nash: ...You know? But when you get into these things, yeah, I think, you know, some things that everybody can appreciate and understand, right? If it's too good to be true - again, reminding people of the tried and true. If it's too good to be true, it is. I mean, almost certainly. You know, if somebody reaches out to you that you didn't anticipate, if there's unsolicited email, unsolicited text message with this great thing, it's probably a scam. I - you know, there's - with all due respect to anybody and everybody listening, none of us individually are that important, all right? Nobody's reaching out to us specifically because we're special and they want to help us out with this great, amazing deal. You know, we've got to recognize that, right? 

A.J. Nash: Not clicking on links, of course - you know, if you're looking at a deal on, say, one of the websites you mentioned that, you know, hosts retail, it doesn't take much time or effort to open a browser and do a little research on the company, look for backgrounds, see - you know, see what else is out there, see if they're legitimate company, look for, you know, reviews, which we all do - certainly within a site like an Amazon, but you can also look other places for reviews. I tend to look at two or three different sources for reviews - can really help you sort that out. 

A.J. Nash: Don't give away personal information, of course. We all know this one, right? You know, if somebody is asking, especially if they're pushy about personal information that doesn't make sense, don't allow it. In the event that you purchase something - you know, there's something called a non-delivery scam, where somebody may impersonate a retailer. They might even set up a fake website. If you buy something and you don't get a tracking number, that's a sign, and you might want to take action early to prevent the fraud from going through. You know, most of our credit card companies, thankfully, are pretty protective of us. There's other services like PayPal that are as well. If you get to this early enough, you might be able to reverse a charge. So also, that's an indicator. 

A.J. Nash: If you're - if you thought you weren't sure and you took the chance anyway, and now you can't get a tracking number and nobody's responding to your emails, don't wait. You know, assume that that's going to be a scam and go right to work with your credit card company and have them shut that off. If it turns out it's not a scam, you've inconvenienced the seller. You know, that's a safe, you know, effort for us to take on. I think those are a handful of things that we can tell people that I think people can connect to and understand. 

A.J. Nash: You know, when in doubt, due diligence is really important. And again, you know, the last bit we all know is just because you read it on the internet doesn't mean it's real. I don't care what site you're on. I don't care, you know - and I don't care if it seems real - oh, this guy's really excited about it on Facebook, and I followed him on other things, and he's interesting - it doesn't mean it's real. If somebody else who doesn't have any expertise tells you, no, I just bought it, it's great, but they haven't received the thing yet, don't run out and buy the thing. You know, it's - we've got to - unfortunately, we've got to take a pause and take a second. I don't know what the hot item is this year, you know? And I'm old enough to remember when it was, you know, Tickle Me Elmo or Cabbage Patch Kids or... 

Dave Bittner: (Laughter) Right, right. 

A.J. Nash: ...You know, whatever, right? I'm sure there's something like that this year. 

Dave Bittner: Yeah. 

A.J. Nash: And I'm sure people are desperate for it. Whatever that thing is, those hottest items are the ones that we have to be the most careful about. 

Dave Bittner: That's A.J. Nash from ZeroFox. 

Dave Bittner: It is always a treat to welcome back to the show the CyberWire's own Rick Howard. He is our chief security officer, also our chief analyst. Rick, welcome back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So for this week's "CSO Perspectives" show, you are rolling out another one of your popular "Rick the Tool Man" episodes. And this one... 

Rick Howard: I love these. 

Dave Bittner: ...Is on - yeah, me too. These are on cloud security. What do you got in store for us? 

Rick Howard: Well, Dave, as you know, I am a sucker for good information design. You know, I was brought up back in the day on the Edward Tufte school of how do you convey complex information, either on a page or a slide or a webpage, in some efficient manner but providing as much intelligence as possible to help leaders make decisions with? Are you familiar with Dr. Tufte, Dave? Have we talked about him before? 

Dave Bittner: I am actually familiar with him, yes. I have a couple of dear friends who went to art and design school, so they turned me on to him. 

Rick Howard: Oh, yeah, our boss. 

Dave Bittner: Yeah, in fact, as I look across at our CyberWire library of books, there are several of his books that are in our library here. So I'm absolutely familiar with his stuff and certainly admire and appreciate it. 

Rick Howard: Well, he does this American city tour every year, and it's an eight-hour seminar that's relatively cheap. And at the end, you get to take home all four of his books. I've been to it twice, and I highly recommend it. So when I see a great example of information design, I stop what I'm doing and take a moment to take a look at it. 

Dave Bittner: Yeah, I'm the same way. You know, over in our CyberWire Slack channels, you were saying that the intel team from a company called Expel, which I believe is a software-as-a-service-delivered SOC service. 

Rick Howard: Yeah. 

Dave Bittner: They had produced a one-pager for both AWS and GCP about how cyber bad guys had traversed the intrusion kill chain using APIs. 

Rick Howard: I know, and I love it. It's on one page. The Expel intel folks lay out the MITRE ATT&CK TTPs used by the adversary campaigns, the cloud providers' services those campaigns leverage, the associated identity and access management services they subvert and all the API calls used in the campaign. So in this "Rick the Tool Man" episode of "CSO Perspectives," I interviewed the senior intel analyst at Expel to talk about how to use the chart in your day-to-day operations. 

Dave Bittner: All right. Well, that is over on the Pro side. What episode are you publishing on the public side? 

Rick Howard: In the public feed, we publish "CSO Perspectives" shows from the archive. It's called "CSO Perspectives (public)." Who knew? You know, that's a really great name, right? 

Dave Bittner: (Laughter) Clever. 

Rick Howard: (Laughter) So this week's show is from February of this year. I'm talking to Amanda Fennell, the CIO and CSO of Relativity, about how to manage the risk of the software supply chain. 

Dave Bittner: Yeah, always time well spent chatting with Amanda. She has her own podcast that's hosted here on the CyberWire network. It's called "Security Sandbox." I have always enjoyed every conversation I've had with her. 

Rick Howard: Yeah, it's a great show, and she's one of the shining lights in our industry. And since Relativity delivers its services as a SaaS product, she knows a little something about how to reduce the risk of the software supply chain. 

Dave Bittner: Good stuff. Before I let you go, what is the phrase of the week over on the "Word Notes" podcast? 

Rick Howard: So this week, we're talking about the history of the domain name system and how it works, this little system that practically nobody pays attention to except for network managers and nerds like me who like internet history. But it's the lubricant that makes the internet work, and it's so complicated. So we try to make it understandable to the layman's point of view this week. 

Dave Bittner: All right. Sounds good. Rick Howard, he is the CyberWire's chief security officer and our chief analyst. But most importantly, he is the host of the "CSO Perspectives" podcast. Rick, great talking to you. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. See you back here tomorrow.