The CyberWire Daily Podcast 1.23.23
Ep 1744 | 1.23.23

Contractor error behind FAA outage. OneNote malspam. Vastflux ad campaign disrupted. Ukraine moves closer to CCDCOE membership. Alerts for gamblers and gamers.

Transcript

Dave Bittner: The FAA attributes its January NOTAM outage. Malicious OneNote attachments are appearing in phishing campaigns. The Vastflux ad campaign has been disrupted. Ukraine moves toward closer cybersecurity collaboration with NATO. Rick Howard considers the best of 2022. Deepen Desai from Zscaler looks at VPN risk. And finally, we're betting you want alerts for sports book customers and online gamers.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 23, 2023. 

The FAA attributes its January NOTAM outage to a contractor error.

Dave Bittner: The Wall Street Journal reported late last week that the FAA has traced the cause of this month's NOTAM outage to an error committed by IT contractors during synchronization of backup files. The Journal wrote, the Federal Aviation Administration said Thursday that a contractor working for the air safety regulator had unintentionally deleted computer files used in a pilot alert system, leading to an outage that disrupted U.S. air traffic last week. The agency, which declined to identify the contractor, said its personnel were working to correctly synchronize two databases - a main one and a backup - used for the alert system when the files were unintentionally deleted. 

Malicious OneNote attachments appearing in phishing campaigns.

Dave Bittner: BleepingComputer reports that criminals are using OneNote files attached to malicious spam emails to install remote access Trojans - the Quasar RAT among them. OneNote doesn't use macros, and so malicious files have, in many cases, escaped detection by the usual technical screening tools. The attachments do generate a familiar, general warning, stating, opening attachments could harm your computer and data. Don't open it unless you trust the person who created the file. But experience shows that many users regard the warning as pro forma background noise and click through anyway, thereby installing the RAT. 

Vastflux ad fraud campaign exposed.

Dave Bittner: The Vastflux ad fraud operation has been disrupted by researchers at the security firm HUMAN. Most of the affected apps were developed for iOS. The researchers write, at its peak, Vastflux accounted for more than 12 billion bid requests a day. More than 1,700 apps and 120 publishers were spoofed, and the scheme ran inside apps on nearly 11 million devices. It made money through click fraud, stacking large numbers of invisible ads beneath visible advertising banners. Up to 25 video ads would run behind the user's active window. HUMAN Security's description of the campaign portrays a criminal enterprise that operated with a degree of sophistication. The name HUMAN gave the operation, Vastflux, for example, alludes to the fast flux technique the criminals employed to evade defenses by rapidly moving across a large number of IP addresses and DNS records associated with a single domain. It also showed considerable familiarity with the online advertising sector. HUMAN writes, the fraudsters behind the Vastflux operation have an intimate understanding of the digital advertising ecosystem. They evaded ad verification tags, making it harder for this scheme to be found. So Vastflux is down - for now, anyway - and bravo to HUMAN and its partners for the takedown. But as the researchers note, the perpetrators remain unidentified, and they can be expected to attempt to come back. So continued vigilance is in order, but cooperative defense of this kind has one signal virtue. It makes the hoods work harder to pull off a successful grift. 

Ukraine moves toward closer cybersecurity collaboration with NATO.

Dave Bittner: Turning briefly to the cyber phases of Russia's war against Ukraine, last week, Ukraine signed an agreement to join NATO's Cooperative Cyber Defence Centre of Excellence. The CCDCOE is based in Tallinn, Estonia. Ukraine's accession to the Centre will become official once the Centre's current members sign the agreement, but that agreement is widely expected to come swiftly. Closer cooperation is seen as benefiting both Ukraine and NATO. Nataliya Tkachuk, who directs information security and cybersecurity at Ukraine's National Security and Defense Council, told the Record, Ukraine's experience is unique, and we are ready to share it with our allies - from the public-private partnership and effective involvement of cyber volunteers to methods of detecting and neutralizing cyberattacks from Russia. 

Dave Bittner: Russian cyberattacks against Ukraine have fallen well short of expectations during Russia's war, but according to the Hill, that's not for lack of trying. Ukrainian officials put the number of cyberattacks against their country during 2022 at more than 2,000, with most of them originating in Russia. Yuriy Schygol, head of the State Service for Special Communications and Information Protection, said in a media availability covered by Reuters, essentially, all hackers who work with Russia, most of them don't even hide their affiliation. They are all funded by the FSB, Russia's Federal Security Service, are on military service or are in the employ of those agencies. Breaking Defense says U.S. officials warned late last week that while there are reasons for optimism, it's important for organizations to keep their guard up and to recognize that Ukraine has for several years worked to perfect its defenses in ways that not many other countries have. 

Sports book alert.

Dave Bittner: So hey, everybody. Do you bet on sports? Neither do we. But if you did, you might want to check your six, as they say over in the Air Force. One of the aftereffects from the MailChimp breach disclosed on January 13th has been the possible compromise of personal information over at the FanDuel sports book site. BleepingComputer reports that FanDuel has found that audience data for 133 customers has been exposed and that those customers should be on the alert for account takeover attempts and phishing. As has been reported in connection with the recent MailChimp breach, the numbers of affected individuals didn't appear to be particularly large. The data isn't as sensitive as it might be, apparently consisting only of customer names and email addresses. But, of course, even slim information can be of use in social engineering attempts. 

Gamer alert.

Dave Bittner: And finally, gamers, be ready for trouble the next time you squad up. Gaming website RockPaperShotgun reports chatter that modders are abusing remote code cheats to alter opponents' stats and disable accounts in Rockstar Games Grand Theft Auto. The gaming news outlet Video Games published a public service announcement yesterday that warned, you may want to hold off playing GTA Online on PC for now, as a new exploit gives hackers complete control over your account. And there's not much you can do about it. The news about Rockstar, whose most famous title is Grand Theft Auto, comes from gamer chatter on Twitter and news accounts. Video Games describes the possible effects. The exploit lets hackers alter your character, change and remove stats and even outright ban or delete your account. 

Dave Bittner: That's not the only case being reported. In an unrelated incident, Riot Games tweeted late Friday, “Earlier this week, systems in our development environment were compromised via a social engineering attack. We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.” Dot Esports says that the attack preceded the start of various leagues in the League of Legends esports circuit. 

Dave Bittner: You know what? It occurs to us that FanDuel can let you place bets on esports. Not that you necessarily would, of course. But, you know, it's possible, or so we hear. Not that we would. You know? 

Dave Bittner: Coming up after the break, Rick Howard considers the best of 2022. Deepen Desai from Zscaler looks at VPN risk. Stay with us. 

Dave Bittner: And it is always my pleasure to welcome back to the program Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. But more important than any of that, he is the host of the "CSO Perspectives" show. 

Rick Howard: Exactly right, Dave. 

Dave Bittner: And, Rick... 

(LAUGHTER) 

Dave Bittner: ...If you're showing up here, that must mean that "CSO Perspectives" over on the pro side of the CyberWire is cranking up for a new season. So what do you got in store for us here today, Rick? 

Rick Howard: That's right, my friend. OK. It's "CSO Perspectives." It's starting its 12th season, if you can believe that. 

Dave Bittner: I can't. First of all, CyberWire has only been seven years. So you're, like, multiple seasons per year, right? 

Rick Howard: It's kind of like dog years, you know, just... 

(LAUGHTER) 

Dave Bittner: Fair enough. Fair enough. 

Rick Howard: And so we have the interns, you know, locked up in the bowels of the CyberWire sanctum sanctorum, and they've been working on some fantastic stories. But for this week, we are looking back in 2022 and highlighting some of the best podcasts and books that help me understand the cybersecurity landscape with a little more clarity. So I call this being a student of the cybersecurity game. 

Dave Bittner: Well, I know you are a big book guy with all of your volunteer work over on the Cybersecurity Canon project. What was your favorite cybersecurity book of 2022? 

Rick Howard: Well, I knew you're going to ask me that. So I'm going to cheat a little bit. I'm going to pick two, Dave, right? The best cybercrime book that I've read in the past decade is Andy Greenberg's latest, called "Tracers in the Dark." 

Dave Bittner: Right, right. You interviewed Andy about that book right before the holiday break. Actually, I listened to that just recently. Quite a story there. 

Rick Howard: It's an amazing story, right? And it's about a group of researchers first and then entrepreneurs and then law enforcement officials and how they figured out how to trace accounts on the Bitcoin blockchain that resulted in a series of high-profile arrests in the cyber underworld. And the bottom line here, Dave, is if you thought your Bitcoin history was anonymous, think again because it is decidedly not. They figured how to determine all that stuff, all right? So watch out, all you people in the cyber underground. The second book I really want to highlight here is George Finney's "Project Zero." 

Dave Bittner: That makes sense because I know that zero trust is one of your key strategies you've been talking about for a while on the podcast. 

Rick Howard: Yeah. And George is one of the smartest cybersecurity practitioners on the planet. And as you would expect from George, his practical descriptions of the key elements of the zero trust philosophy are just perfect. So in this episode of "CSO Perspectives," we talk about those two books and a bunch of other books and podcasts that I found valuable last year. 

Dave Bittner: All right. Well, that is on the "CSO Perspectives" Pro, on the subscription side of our network. What's going on over on the public side? 

Rick Howard: Yeah, every season, we roll out old episodes in the "CSO Perspectives" archives and - to allow our listeners a chance to see what they're missing by not being a Pro subscriber. And so this week's - yeah, you know, because we got to get the cash coming in, you know? 

Dave Bittner: Sure. 

Rick Howard: Sure. 

(LAUGHTER) 

Dave Bittner: The suits down the hall, you know... 

Rick Howard: (Laughter) Yeah, the suits. 

Dave Bittner: ...The bean counters. They - we got to make them happy. It makes it all happen. Yeah. 

Rick Howard: Exactly right. And so this week's show is a Rick the Toolman episode from May of 2022. It's everything you ever wanted to know about the relatively new idea called software bill of materials, or SBOMs. 

Dave Bittner: Oh, yes. Very good. Well, that is over on the "CSO Perspectives" public feed. Before I let you go, what is the phrase of the week over on the "Word Notes" podcast? 

Rick Howard: Yeah, this week's word is CIRT with an I for cyber incident response teams. And we try to clear up the industry confusion on what exactly is the difference between a CIRT with an I, a CERT with an E for a computer emergency response team and a SOC for a security operations center. And we even have a cool clip from an old TV show, Dave, and I know you appreciate - do you remember "24" with Jack Bauer... 

Dave Bittner: Sure. 

Rick Howard: ...And all that? Well... 

Dave Bittner: Yeah, yeah, yeah. 

Rick Howard: ...They actually - yeah, it's a fantastic show. And they have a CIRT with an I in action. So you need to come listen to that. 

Dave Bittner: All right, well, you can check it all out. It's on our website, thecyberwire.com. That's "CSO Perspectives." Rick Howard, thanks for joining us. 

Dave Bittner: And joining me once again is Deepen Desai. He is the global CISO and head of security research and operations at Zscaler. Deepen, it's always great to welcome you back to the show. I want to touch today on the report that you and your colleagues recently released. This is your "2022 VPN Risk Report." What can you share with us today? 

Deepen Desai: Thank you, Dave. Thank you for having me here. And what a perfect topic to kick off the discussion. So the VPN report that we published - it involved ThreatLabZ team looking at some of the attacks over the past couple years where VPN was being targeted as one of the entry points. And as part of this research, we spoke to hundreds of cybersecurity professionals to get their insight, as well, when it comes to the state of VPN and, you know, the rise in VPN vulnerabilities and the threat landscape that's targeting that. So some of the key findings - 78% of the organizations that we spoke with are concerned about ransomware attacks, which is not surprising because many of the ransomware attacks - as we have seen in several high-profile breaches - starts with, you know, targeting that VPN concentrator or leveraging a compromised credential to get inside the network. And because of the way VPN is architected, it brings the user on the same network as your business-critical applications, which allow threat actor to perform lateral movement and achieve their targets. Sixty-five percent of companies were already considering VPN alternatives. About 44% of the organizations reported increase in exploits targeting their VPN infrastructure since adopting the remote work. Now, this again aligns with what we're hearing from US-CERT and various regional agencies that there are dozens of threat actor groups that are specifically going after, you know, VPN concentrators to get a foothold inside the environment. 

Dave Bittner: I'm curious when it comes to the providers of VPNs themselves - you know, I think particularly on the consumer side, it's fair to say there's a wide spectrum in the quality of the providers there. On the B2B side, are things better? Is it easier for folks to shop around and find a high-quality VPN provider? 

Deepen Desai: Yeah. So I do see, you know, two types of VPN being mixed up by most folks, right? So the consumer side - I mean, the regular user - when they think of VPN, they're looking to anonymize, right? For privacy reasons, they would rely on some of these VPN providers when they're visiting internet-bound destinations. Those are anonymizer VPN kind of services that provide privacy to the end user. So there's no tracking. There's no, you know, source profiling being done. The VPN that we're talking about as part of this report are the one that provides remote access to your corporate environment, to your business applications. And that's the VPN we're focusing on for this report. And it's not about, you know, good-quality VPNs or one vendor is better than the other. It's inherently the underlying architecture. It's several decade old - right? - and the concept of bringing a user on the same network as other users as well as your applications. 

Deepen Desai: Even if you have ACLs and other criterias defined, what we're starting to see is threat actors will weaponize the payload with zero-day exploits, and then once they're on the network, they will exploit those vulnerabilities and gain escalated privileges and move laterally. So it's the architecture that is being exploited, and that's where, you know, most of these organizations are looking to move towards zero trust. So one of the stat of the report calls out 80% of the organizations are already in the process of adopting zero trust, which is a perfect alternative to VPNs. 

Dave Bittner: So what are your recommendations then? I mean, based on the information that you all gathered in this report, what would you say to folks out there who are either using VPNs or considering it, or I suppose, as your report points out, some folks are looking for alternatives? 

Deepen Desai: Yeah. So one of the easiest way to think about how are you improving your security posture, how are you providing secure, remote access to your business critical application is what if one of those endpoints that's trying to connect to your internal systems - right? - it could be an employee endpoint - is compromised - right? - is infected, or one of your user identity were to get compromised? You need to ask yourself a question. What is the blast radius from that machine that is coming in through VPN - right? - or any technology for that matter? And that, basically, will clearly outline the advantages that a true zero-trust solution provides. 

Deepen Desai: And the reason I gave this example was there's a lot of noise out there even when it comes to usage of zero-trust, right? Every other vendor is saying they're a zero-trust solution. So in order to think holistically, like, ask yourself this question. Whatever technology you're adopting, is it providing you true user-to-app and app-to-app segmentation that will reduce the blast radius from a single compromised asset? And if the answer is yes, then you are doing it right, right? If the answer is like, oh, it will require me to set up these networking rules, firewall rules, you know, that's a old way of doing it. 

Dave Bittner: All right. Well, interesting information for sure. Deepen Desai, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with, original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. 

Rick Howard: Hey, everybody. Rick here. If you're anything like me, you hate commercials. So subscribe to CyberWire Pro and get all of our public podcasts ad-free, as well as our exclusive CyberWire Pro podcasts, briefings, articles, events and bonus content. Designed for the busy professional, CyberWire Pro cuts through the noise and disinformation, giving you access to actionable reporting, trends, analysis and insight on global events occurring in the industry all at your fingertips. Subscribe to the CyberWire Pro today for only $9.99 a month, or save with an annual subscription for only $99. That is well worth it to get rid of all of those commercials. Visit thecyberwire.com/pro to subscribe today.