The CyberWire Daily Podcast 12.21.22
Ep 1728 | 12.21.22

Developing a banking Trojan into a newer, more effective form. Cyberattacks on media outlets. Abuse of AWS Elastic IP transfer. Notes on the hybrid war. And cybercrooks are inspired by Breaking Bad.


Dave Bittner: The Godfather banking Trojan has deep roots in older code. FuboTV was disrupted around its World Cup coverage. The Guardian has been hit with an apparent ransomware attack. A threat actor abuses AWS Elastic IP transfer. Moldova may be receiving more Russian attention in cyberspace. CISA releases six industrial control system advisories. Ben Yelin looks at legislation addressing health care security. Our guest is Hugh Njemanze of Anomali with advice on preparing for the holiday break. And criminals are impersonating other criminals in underworld markets.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 21, 2022. 

Godfather banking Trojan has deep roots in older code.

Dave Bittner: Group-IB reported this morning that the Godfather banking Trojan is currently in wide use against popular financial services worldwide. The researchers say Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets and crypto exchanges. The malware is based on the old Anubis Trojan, updated and improved. Godfather is offered in the C2C malware-as-a-service market, and it's distributed in the form of Trojanized applications, Group-IB says, sold in Google Play. 

Dave Bittner: Group-IB observes that the case of Godfather highlights how quickly Trojan developers can adapt their tools and stay one step ahead of their Android counterparts. Additionally, it shows how easily available source code, such as that of Anubis, can be modernized and relaunched, especially under the malware-as-a-service model. 

Dave Bittner: Significantly, the researchers say, Godfather shuts down on an infected device if it detects that the user is from Russia or a CIS country, the Commonwealth of Independent States still being treated as more-or-less friendly to Russia. 

Dave Bittner: And Godfather seems to have had some success in flying under the incautious user's radar. Group-IB writes, by imitating Google Protect, Godfather can easily go undetected on infected devices. Unwitting users believe they are being protected by an Android service. But in fact, the malicious actors gain access to their banking and financial portal accounts. While Group-IB does not have definitive data on the amount of money stolen by operators of Godfather, the methods harnessed by malicious actors are cause for concern. 

FuboTV disrupted around World Cup coverage.

Dave Bittner: Streaming service fuboTV reported that it fell victim to a cyberattack last Wednesday that knocked out access to the service during the time of the World Cup semifinal game between France and Morocco. The Record reports that at around 9:20 a.m. that day, the company reported an investigation into account-related issues, namely logging into and creating accounts. They reported working to resolve the issue throughout the day, though they acknowledged at midnight that some people were still unable to access the server. The Hollywood Reporter says that a statement from the company released Thursday morning following the incident says that the incident was not related to any bandwidth constraints on Fubo's part and fuboTV takes this matter very seriously. Once we detected the attack, we immediately took steps to contain the incident and work to restore service to all of our users as quickly as possible. Service was fully restored by last evening. We deeply regret the disruption caused by this incident in the meantime. The statement has since been updated, noting that disruptions to the service are no longer a concern and that the World Cup final went off without a hitch.

The Guardian has been hit with apparent ransomware attack.

Dave Bittner: The British newspaper The Guardian was hit late yesterday by what appears to have been a ransomware attack. It seems to have affected mostly back-office infrastructure, and the paper says it expects to publish both print and online editions as usual. The Guardian notes that journalistic outlets are being increasingly subjected to attacks by nation-states, but goes on to say that this incident appears to be conventional criminal ransomware activity. 

Threat actor abuses AWS Elastic IP transfer.

Dave Bittner: Mitiga yesterday released research discussing a new potential threat vector that leverages an AWS functionality known as Elastic IP transfer. In October of this year, a new Amazon VPC feature was released called Elastic IP transfer. The function allows for the transfer of Elastic IP addresses between AWS accounts. Something important to note is that the Elastic IP transfer capability extends beyond the user and even their organization. The EIPs can be transferred between any active AWS accounts. If the correct permissions are enabled on the AWS account of a potential victim, a malicious actor can dive in with a single API and transfer the EIP of the victim to their own account. This is noted to be a later-stage attack, occurring after initial compromise. 

Moldova may be receiving more Russian attention in cyberspace.

Dave Bittner: Balkan Insight reports that Telegram chatter posted online that represents itself as originating with Moldovan leaders is fabricated. The communications were presented as exchanged among Moldova's president and two Cabinet ministers. The ministers and the office of pro-European President Maia Sandu say the content of the alleged conversations is fake. But Iurie Turcanu, Moldova's deputy prime minister in charge of digitalization, says the attacks themselves are real and increasingly sophisticated. The fabricated contents suggested collusion between the government and criminal elements, and the campaign is regarded as a Russian disinformation effort. 

CISA releases six industrial control system advisories.

Dave Bittner: CISA yesterday released six industrial control system advisories. They cover systems by Fuji, Rockwell, ARC and Prosys. As usual, operators of industrial control systems should consult the advisories and apply the appropriate mitigations. 

Criminals impersonating other criminals' underworld souks.

Dave Bittner: Sophos has uncovered a scam campaign that's impersonating various criminal marketplaces. The researchers first found a spoofed version of the Genesis Market, which asked users to pay a $100 deposit in order to access the site. The real Genesis Market is invite-only. This led the researchers to discover 19 other sites set up by the same actor. The sites contained some errors, but they appear professional and appeared prominently in search engine results. The scammer, or scammers, also advertised the sites on Reddit, and their Bitcoin addresses have received more than $132,000. The researchers believe the scam is designed to take advantage of inexperienced researchers, would-be threat actors and the generally curious. 

Dave Bittner: The researchers found circumstantial evidence tying the scam to a user on a criminal forum with the username waltcranston, a portmanteau word that combines the first name of the lead character of the TV show "Breaking Bad" with the last name of the actor who plays him. So waltcranston is apparently a "Breaking Bad" fan. He's also apparently, himself, a meth dealer like his TV hero. He was listed as a meth dealer on several underground marketplaces. Waltcranston was accused by several members of these forums of setting up scam sites after retiring from dealing drugs. 

Dave Bittner: That whole honor among thieves schtick didn't work out in the original TV show either. Good show. Have you seen it? Spoiler alert, it doesn't end well. So stay away from those Los Pollos Hermanos. 

Dave Bittner: Coming up after the break, Ben Yelin looks at legislation addressing health care security. Our guest is Hugh Njemanze of Anomali with advice on preparing for the holiday break. Stick around. 

Dave Bittner: As the clock ticks down towards the end of the year and the holidays approach, there is a palpable, low-level anxiety that settles in over folks in the InfoSec world. Will we be able to enjoy our long winter's nap or will there be another big one, an all-hands-on-deck breach pulling us away from friends and family? I checked in with Hugh Njemanze, founder and president of Anomali, for his perspective on the holidays as an attractive target. 

Hugh Njemanze: There are some tried and true principles that should be sort of the first things to check on your list. There is a notion of defense and depth. And defense and depth really has to do with kind of layering your security precautions, so that if an opponent gets past one layer, then they run into another one. So basically succeeding at one part of an attack doesn't necessarily get them to the prize. And so it's similar to - what did they used to call that? - LoJack in cars. You look at a car and if you see that it has some defenses, maybe you move on to the next car. And so if you can layer your defense so that there's multiple different hurdles that someone has to cross, that's a good principle in general. And there's ways to do that. So that's one clear strategy to adopt. 

Hugh Njemanze: Another thing is that there are precautions that are kind of common sense. So when you're looking at, for example, ransomware, then it helps to have a strong, usable backup of all the systems that are critical to you so that if those systems are held hostage, your first recourse is to ignore the ransom, wipe those systems and restore them from a trusted backup. Now, if you're going to do that, it's important that the backup itself not already be infected or corrupted. And it's important that you have confidence that you can restore those backups by actually trying them when there isn't a threat. So that's one example. 

Hugh Njemanze: With attacks like Log4j, what's insidious about them is that they are vectored in through stuff that you already trust from your actual provider vendors. In other words, software that you yourself are installing may already be compromised before it's delivered to you. And so as an organization, you are unaware that you're inserting Trojan horses when you update your systems. And so, for example, in the case of Log4j, given that Apache was infected, then it really wasn't anything that the customer was doing wrong themselves. It's just the fact that Apache itself had already been compromised. And so in those kind of cases, there is an approach that I think is important but not necessarily considered a lot, which is that, you know, the first obvious thing is to identify where you have those vulnerabilities. In other words, if it's a vulnerability in a tool like Apache, which systems have that deployed? So that part, I think, is fairly common tradecraft. So if you have 12,000 systems, then you can do a scan and determine that 10,000 of them have software that can be compromised. So that's good. 

Hugh Njemanze: But if it's the majority of your systems, it doesn't really reduce the problem of how do I focus on the most important systems? And so this is where I would say there is an approach that can be very complementary to simply cataloging where your vulnerabilities are. And that approach is to combine the catalog with identifying which systems have had external interactions. And more specifically, if you have relevant threat intelligence, what you want to do is match that intelligence against which of your systems have been accessed. So the idea is to maybe out of 10,000 systems from the full 12,000, you want to know maybe 100 of those have actually had external interactions with potentially malicious actors or known malicious actors. And so now you have a much more focused game plan you can put in place, which is let me defend those systems in depth, and also let me analyze those systems to see if they've already been compromised or if something is spreading from those to their neighbors. So, again, the idea is not just which systems are vulnerable, but which ones are interacting with external actors. 

Dave Bittner: Yeah, that's interesting. I'm curious for your take, also, on the human side of this - just, you know, preparing the team for the possibility that something could come along that'll interrupt their break. 

Hugh Njemanze: Right. Well, again, some things are common sense. So it's important to stay sort of vigilant and aware so that when you are receiving updates, you want to do whatever - you want to use whatever tools you have that can verify that a particular update does not have compromises that the earlier trusted version didn't have. That might be easier said than done, but it's a principle to sort of keep people aware of and train them on. With the human side of attacks, which is basically anything that relies on extracting information through tricking somebody on their job, then people always have to be aware that any call they receive or any email they receive or anything that requires clicking may or may not be what it looks like. Sometimes it's easy to spot by looking for grammar flaws and so on. So if you're a - what should I call it? - if you're an OCD grammarian, then those things are going to sort of trigger your antenna automatically. But even if you're not, you should notice anything that looks like - probably not written by the company that it purports to be coming from. 

Dave Bittner: That's Hugh Njemanze from Anomali. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting article from the folks over at Healthcare IT News - this is written by Andrea Fox, and it's titled, "Senator Warner issues healthcare cybersecurity policy options." What is going on here with the good senator from Virginia? 

Ben Yelin: So Senator Warner is the co-founder of the Senate Cybersecurity Caucus. He's also been the chair of the Senate Select Committee on Intelligence. So he's a pretty important figure in the Senate. And he has released a paper on how to improve cybersecurity in health care systems, in the health care field. 

Dave Bittner: OK. 

Ben Yelin: So he makes a number of recommendations. The biggest, and I think the one that's most noteworthy, is he calls for the creation of a health care cybersecurity czar. And that would be somebody who evaluates national risk posture in the health care industry, figures out how to respond to cyber incidents among health systems, and develops incentives that might help improve health care cybersecurity capabilities. Remember when czars were once very controversial as government figures? 

Dave Bittner: (Laughter) Yes, I do. 

Ben Yelin: They're kind of unaccountable bureaucrats. I think czars are kind of back in favor, just... 

Dave Bittner: OK. 

Ben Yelin: ...Somebody who can... 

Dave Bittner: Fashion? 

Ben Yelin: Yeah, they're back in fashion. It's just somebody who can devote attention to a very narrow issue, where, you know, even somebody who is the head of CISA, for example, can't focus narrowly on the health care industry. 

Dave Bittner: Well, that was going to be my question. Where would be the sensible place for someone who's given this task to live? Would that be working with CISA? 

Ben Yelin: Yeah... 

Dave Bittner: What do you think? 

Ben Yelin: ...I think it would probably be, like, a subposition within CISA. 

Dave Bittner: Yeah. 

Ben Yelin: So you just have, you know, one department that focuses on health care, and then that's where you put your health care cybersecurity czar. He also came up with a bunch of different policy recommendations that he thinks should be introduced and passed by Congress - so things like requiring HHS to perform more regular updates on HIPAA, particularly as it relates to new technology, new applications and consumer devices, a workforce development program that focuses specifically on health care cybersecurity, minimum cybersecurity hygiene practices for hospitals and health systems, where you have incentives for compliance and disincentives for noncompliance, addressing the problem of legacy systems - I know that's been a huge issue. 

Dave Bittner: Oh, yeah. 

Ben Yelin: Many health systems rely on, you know, the equivalent of Windows 98 in their offices. 

Dave Bittner: Right. 

Ben Yelin: And that certainly presents major vulnerabilities. We've certainly seen that at the government level, as well. For example, in Maryland, our Department of Health in the state was vulnerable to a ransomware attack in the winter of 2021, largely because we were using legacy systems. His last proposal would be to require a software bill of materials for all software and devices used in health care. 

Dave Bittner: Yeah. 

Ben Yelin: So this is kind of a manifesto for this area of cybersecurity policy. I think it's aspirational - certainly not going to happen in the next couple of weeks in this current Congress. But he's going to maintain this role as a cybersecurity expert and also with his chairmanship in the Senate. So it's something that I think we should pay attention to in the next couple of years. 

Dave Bittner: Yeah. That's part of my next question, which is, someone in his position who sits on the committees that he sits on, what is his ability to push something like this through? How would he - how does he go about that? 

Ben Yelin: Well, you hold a lot of committee hearings and get some testimony from experts. And then, you know, the way Congress works is it's really hard to pass anything. But you probably try and get this... 

Dave Bittner: Does he find something else to slip this into (laughter)? 

Ben Yelin: Exactly. Yeah. It'll be, like, the Shelter for Puppies Bill and tucked in a tiny little provision for health care cybersecurity policy. 

Dave Bittner: OK. Right. Right. 

Ben Yelin: But more seriously, this is the type of thing that would be included in more like an omnibus cybersecurity bill. 

Dave Bittner: I see. 

Ben Yelin: But that's why you present these ideas in the first place, so when that vehicle comes across the Senate, comes in front of a committee and onto the Senate floor, you already have a set of proposals that you can kind of log roll into that larger bill. And I think that's what his goal is here, is to set out these aspirational goals and then see how much of it can be attainable, certainly in the next couple of years. 

Dave Bittner: Do you spot anything controversial in here? I mean, we - I think we're still in a mode where it seems like cybersecurity provisions are generally adopted or encouraged in a bipartisan way. 

Ben Yelin: Yeah, I agree. I don't see anything that jumps off the page that's going to be, you know, like, a shouting match on cable TV news about any of this. I will say that some of the disincentives for hospital systems, penalties for noncompliance, penalties for not following minimum cyber hygiene practices - you might get pushback from the industry, hospitals and health systems. 

Dave Bittner: Right. Additional regulatory burden. 

Ben Yelin: Right, which, you know, certainly, I understand. But they're also going to be given incentives for good behavior. 

Dave Bittner: Right. 

Ben Yelin: So - but that's where I would see the area for the most potential pushback. No industry likes to be regulated and likes to be subject to noncompliance penalties from the federal government. 

Dave Bittner: Yeah. 

Ben Yelin: And hospitals and health systems are powerful influences in Washington. They have some of the best lobbyists out there. So I think that would be the one area that would be particularly controversial, but I wouldn't guess that that would be a burden for overcoming this general policy framework on health care cybersecurity. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you all back here tomorrow. 

Dave Bittner: One final note - we will be taking a break from our regularly published programs from Christmas Eve to New Year's Day. But not to worry, we still have an exciting lineup of great CyberWire Pro content that you won't want to miss. So stay tuned. And happy holidays, everyone.