The CyberWire Daily Podcast 2.7.23
Ep 1755 | 2.7.23

Update: VMware ESXi exploitations. Super Bowl cyber risks. Scalping bots. The curious case of the Moscow billboards.


Unidentified Person: You're listening to the CyberWire network, powered by N2K.

Dave Bittner: VMware ESXi exploitations. Super Bowl cyber risks and scalping bots. The curious case of the Moscow billboards. Joe Carrigan tracks pig butchering apps in online app stores. Our guest is David Liebenberg from Cisco Talos to discuss incident response trends. And in sports ball, it's going to be the Chiefs by a couple of hat tricks or something like that. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 7, 2023. 

Update: VMware ESXi and ransomware.

Dave Bittner: More information has come to light regarding the widespread ransomware attacks exploiting a two-year-old vulnerability in VMware ESXi servers. The ransomware, which is being tracked as ESXiArgs, appears to be a new strain. SC Media reports that Europe has so far been the hardest-hit region, followed by North America. The U.S. Cybersecurity and Infrastructure Security Agency has offered its help, saying, CISA is working with our public and private sector partners to assess the impacts of these reported incidents and provide assistance where needed. 

Dave Bittner: VMware yesterday published a statement on the incident, noting that they have not found evidence of an unknown vulnerability, a zero-day, being used. Most reports suggest the attacks are targeting products that are end of general support or out of date and that they can be addressed by upgrading to the latest supported releases of vSphere components. VMware also recommends disabling the OpenSLP service in ESXi versions. Released as of 2021 ship with this service disabled by default. It's worth noting again that the vulnerability being exploited is one VMware patched last year, and so mitigations and fixes are indeed available. 

Sorry, rest-of-the-world: Super Sunday is fast approaching.

Dave Bittner: What follows is inevitably going to be an American thing. So rest of the world, receive this with our apologies. This coming Sunday is, as you may have heard, the day on which the Super Bowl will be played to decide the championship of the National Football League. That's American football, friends, not the sort of football they mean in, say, the U.K. or most of Latin America. We know. We know. The whole business has been completely devoid of interest since the Baltimore Ravens were eliminated in the Wild Card round. But apparently people in places like King of Prussia, Pa., and Peculiar, Mo., are following the buildup to the big game, which no longer appears so big to the rest of us since, as I said, the Ravens are out of it. 

Dave Bittner: Anywho, the scammers are trying to ride the NFL's hype cycle, as scammers will. Proofpoint describes a spike in Super Bowl-themed spam over the past weeks, and Synopsys casts a skeptical eye on sports book apps. Proofpoint researchers say they've observed an 860% increase in smishing attacks during the NFL playoff period. The vast majority of the text messages contained a shortened link leading to a malicious website. The messages contain phony offers for iPad giveaways or free betting money. The researchers expect these scams to increase as the Super Bowl approaches, and the researchers are probably right. Free betting money might as well come with the lead-in step right up, and step right up they will. 

Dave Bittner: The whole betting angle is entirely foreseeable. Synopsys has just published a report looking at the security of the top 10 sports betting apps for Android devices. The researchers found that all of the apps use outdated, open-source components that contain vulnerabilities. The vulnerabilities aren't necessarily exploitable within the apps themselves, but they're not a good sign. Synopsis says their presence indicates that developers and app stores should refine their security practices, and Synopsis can say that again. 

Dave Bittner: In the meantime, checking my apps, because that's what all the kids are doing nowadays. We're taking - what? - the Chiefs to cover? Wait, wait. This mic was on? Oh, just kidding. No gambling here, friends. And in any case, go Chiefs, or if you prefer, fly, Eagles, fly. 

Scalping by bot.

Dave Bittner: Looking at other forms of online crime and fraud, DataDome has published a report on e-commerce bot traffic during the 2022 holiday season, finding that bots are growing increasingly capable of imitating human users. Most of the traffic observed by DataDome came from IP addresses in the United States. This doesn't necessarily mean the spammers are in the U.S., since they intentionally use IP addresses in the region they intend to target. And the researchers note that most of DataDome's customers are located in the U.S. Ninety-eight percent of the bots were designed to scrape online retailers' inventory and buy items to be scalped. The two most targeted sectors were electronics and footwear. The bots were particularly focused on gaming consoles and luxury or limited-edition clothing merchandise. It's striking how the digital versions of it-fell-off-a-truck and I-know-a-guy-who-knows-a-guy have cropped up. 

The curious case of the Moscow billboards.

Dave Bittner: And finally, electronic billboards in Moscow over the weekend displayed large, prominent ads for BlackSprut, an infamous dark web contraband market mostly involved in illicit drug sales. The Record reports that the ads featured a woman in what The Record calls a futuristic mask, but which looks more like some kind of kinky, erotic gear - or so we've heard; we are unacquainted with that stuff here on what is, after all, a family show - and the slogan - come to me if you're looking for the best. 

Dave Bittner: It's unclear why the ads appeared. But the competing theories are that, first, maybe it was an oversight. Someone just slipped up and, boy, are they in trouble. Or the billboards were hacked. Or the ads were permitted. That last one seems likeliest. BlackSprut is a successor to the now-defunct Hydra illicit market. And it handles a lot of trade, perhaps nearly 30% of the darknet market share globally. So BlackSprut may be too big to interfere with, and this may simply represent an evolution in the longstanding coziness between the Russian organs and the country's online gangs. So anyway, perhaps Mr. Putin wants to fire up that app. Treat yourself to some of that free betting money. We hear the smart play is the Chiefs by a couple of home runs or something like that. 

Dave Bittner: After the break, Joe Carrigan tracks pig butchering apps in online app stores. Our guest is David Liebenberg from Cisco Talos to discuss incident response trends. Stay with us. 

Dave Bittner: Dave Liebenberg is head of strategic analysis at Cisco TALOS, where they recently released their quarterly Incident Response Trends report covering the fourth quarter of 2022. I spoke with Dave Liebenberg for the highlights. 

David Liebenberg: Targeting is always interesting - just seeing what the trends are, what are the industry verticals that are getting the most attention. And this quarter, Q4, the top targeted vertical was telecoms. Telecommunications was actually the top targeted vertical in nearly every quarter this year, apart from Q3, in which it was education. So telecoms have just been a big target this year. In previous years, it was skewed more closely to education, manufacturing and sometimes local government. 

Dave Bittner: Do you have any insights as to why telecoms might have this target on their back? 

David Liebenberg: You know, I don't have definitive reason for it, but to me, telecoms seem like a good target because, one, it's a good way to sort of maximize your threat service and pivot into other high-value targets that you want to get to. There's lots of legacy technology. There's lots of sensitive information. And, of course, there's lots of concern about no downtime. So I can certainly see why it's a popular target. 

Dave Bittner: One of the things that you all pointed out here was that there was a platform called SYNCHRO that showed up a lot. Can you give us some of the information about that? 

David Liebenberg: Yeah, definitely. So SYNCHRO is a remote management and monitoring tool for an RMM. You know, these types of tools similar to, like, TeamViewer or things like that - we've seen a 10% increase in usage from last quarter this quarter. And added to that, SYNCHRO itself was actually observed in 30% of engagements this quarter - so just a massive increase in the usage of that particular tool. And, you know, we've seen it being used in a variety of different threats from, you know, commodity loaders such as Batloader. We saw a Qakbot infection using it, phishing campaigns using it, ransomware using it. So it's very widespread and very popular among a diverse group of threat actors. 

Dave Bittner: Another thing you all pointed out was a possible rebranding of the folks behind Conti. 

David Liebenberg: Yes, that's correct - another one. It seems like it's the rebranding that never stops. But, yes, Royal Ransomware, which is a newer ransomware family that we just began observing this past quarter, appears to have been a rebrand from Conti, according to analysis from various security firms. And to me, one of the most interesting things about, you know, the emergence of these new ransomware actors and rebrandings and stuff like that is while ransomware has continued to be the most dominant threat that we face or that we see in IR engagements - it's been that way for many, many quarters since we've done this. While that game has remained hot, the players constantly shift because of infighting, because of law enforcement attention, because of, you know, many different reasons so that we're constantly seeing newer actors emerge into the field. 

Dave Bittner: Now, you all pointed out that nearly 40% of the engagements use phishing emails as their way to establish initial access but also that folks still seem to be lagging when it comes to multifactor authentication. 

David Liebenberg: Yeah, 30% of engagements this quarter basically had, you know, MFA that was not robust enough. Either they didn't have it at all, or they only had it on a handful of accounts or critical services. The recommendation - our top recommendation has been very consistent for the past year and change, really, which is you need to implement MFA. It needs to be implemented on everything critical, including, you know, EDR, VPNs. All that needs to be locked down because if, you know, the threat actor can uninstall your security systems, then they're not going to be very effective. MFA is hugely important, and the amount of phishing attacks that we observed this quarter just highlights how important it is and the gap that, you know, some enterprises have in implementing it. 

Dave Bittner: Well, beyond MFA, what are some of the other recommendations that you and the team there have? 

David Liebenberg: Yeah. So I've been really - you know, when I look towards what's going to happen in 2023 and thinking about future trends and stuff like that, I think phishing is just going to continue to get very, very effective. And, you know, it's - I think it has to lead to a little bit of a not-if-but-when mindset. And, you know, I think recommendations along that line is you need to sort of think about harm reduction. You need to think about getting that MFA on. You need to think about segmenting. You need to think about locking down powerful tools like PsExec and PowerShell to, you know, users who are - or very secure accounts. And you have to have sophisticated, you know, training for employees. And most importantly, you know - I always say this - you don't want to learn how to put out the fire as a fire's happening. So get an incident response plan in place. Get an asset inventory in place. Get logging in place. And make sure if something does happen, you're well positioned to help mitigate it. 

Dave Bittner: That's Dave Liebenberg from Cisco Talos. The report is titled Incident Response Trends in Q4 2022. We'll have a link in the show notes. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute. Joe, interesting article from the folks over at Ars Technica. This is written by Dan Goodin, and he's actually referencing some research from the folks over at Sophos about some pig butchering scams that have made their way on to some of the app stores. Can you unpack what's going on here, Joe? 

Joe Carrigan: Yeah, it's a convoluted scam. I mean, it's really big because the payouts are big. 

Dave Bittner: Yeah. 

Joe Carrigan: So pig butchering, or in - what they're calling it here in this story - they - which I like a little bit better 'cause it doesn't sound so gross - is CryptoRom, which is a combination of cryptocurrency scams with romance scams. 

Dave Bittner: Ah. 

Joe Carrigan: So, you know, the typical pig butchering scam is one where you - the scammer hooks up with somebody, usually through romantic interludes - right? - through some romantic pretext. 

Dave Bittner: OK. 

Joe Carrigan: And over time, then the scammer tells the person, yeah, well, I've been making money with crypto here. Here's how I do it. And I invest in this company. And the victim then says, oh, well, maybe I'll try something - some of that with a little bit of money, right? 

Dave Bittner: Right. Right. 

Joe Carrigan: And they put a little bit of money in. By the time this is going on, by the way, the scammer already knows about how much this person is going - you know, whether or not this person's worth their time to pursue... 

Dave Bittner: I see. 

Joe Carrigan: ...Right? Does this person have money that I can steal from them? - and how much - like, a good idea of how much. So the person will put some money in. That money will grow. It doesn't really grow, but it looks like it's growing. And then that person can even make a withdrawal of the money they initially made, right? But if they put it in again, they start getting these reports. Oh, no, you can't pull the money out now. You have to put more money in to get money out. And they just keep leading the person on. And by they, I mean the organization... 

Dave Bittner: OK. 

Joe Carrigan: ...Right? So this article talks about the complexity of these organizations... 

Dave Bittner: OK. 

Joe Carrigan: ...And how big they are and how - and actually how the bottom level of this organization is essentially a bunch of people who have been imprisoned - falsely imprisoned - human trafficking operations from other countries. Their passports have been confiscated, and now they have to participate or there's a threat of violence. But up above them, there's people who build the infrastructure that is used for taking the money from people. And what the crux of the story is, is that there have been two apps that Sophos found in both Apple's App Store and in the Google Play Store. And these were initially a - one was a cryptocurrency price tracking app, and the other one was a barcode reader. And the way these things got through the vetting process was very similar to something that Charlie Miller did back in 2011, if - I'm going to hearken back to that. Charlie Miller found a vulnerability in the process of how apps were updated on the Apple App Store. 

Dave Bittner: OK. 

Joe Carrigan: At that point in time, it was called the iTunes App Store. Remember that? 

Dave Bittner: Yeah. Who's Charlie Miller? 

Joe Carrigan: Charlie Miller's a security researcher. 

Dave Bittner: OK. 

Joe Carrigan: He was at Twitter for a while. He actually - he and I actually were both working at Accuvant at the same time before that - before he moved on. 

Dave Bittner: OK. 

Joe Carrigan: I've never met Charlie. I mean, Accuvant was a big company at the time. 

Dave Bittner: Yeah. 

Joe Carrigan: But Charlie Miller and Chris Valasek are the ones that hacked the Jeep. 

Dave Bittner: Oh, yeah. Sure. 

Joe Carrigan: Yeah, that's Charlie Miller. 

Dave Bittner: OK. 

Joe Carrigan: And he's really good at hacking Apple products. I think another thing he did was - it may have been Charlie that did this - he got - put malware on the battery controller for an Apple MacBook. But Charlie's really smart. And back in 2011, he found a way to get an app - a malicious app - into the App Store. And what he did was he submitted an actual app. And then after the app had been approved, he published an update to the app with unsigned code, and Apple just pushed it out. And he went to Forbes and disclosed the vulnerability. 

Dave Bittner: Right. 

Joe Carrigan: I don't know if he went to Apple first. It's - I don't know the details, but as soon as the story went public, Apple suspended his developer account for a year... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which I was very critical of 'cause that's not how you reward security researchers. But this is kind of the same thing. It works very similar. But these apps don't publish new code. What's happening is outside of Apple and Google's control. So these apps all have dynamic content on them that is provided from a website. 

Dave Bittner: Right. 

Joe Carrigan: After the app has been approved, the back end of that website changes to provide malicious content that lets people use this interface as if it were a crypto exchange. And it's not. It's just a theft of cryptocurrency. So what happens is there's no banks involved at all. These people tell the victim, go to Binance, which is a legitimate cryptocurrency exchange you can give money to. 

Dave Bittner: Yeah. 

Joe Carrigan: So they're leveraging that infrastructure. They're saying buy some cryptocurrency. Send it to this app over here, this exchange over here, which you can do. You can send cryptocurrency between exchanges just by sending it to another address - let's say a bitcoin address. 

Dave Bittner: Right. 

Joe Carrigan: And that works just fine. Like, you can easily exchange between, like, Kraken and Coinbase... 

Dave Bittner: OK. 

Joe Carrigan: ...Or Binance and Coinbase, whatever. Any of these - you can send money this way legitimately all day long, but you can also be duped into sending it illegitimately. And that's what happens. These guys then start their scam. And they start telling people to put more and more money into it. And it's - we had a story on "Hacking Humans" about a guy that had his entire retirement drained by a similar scam, though it wasn't cryptocurrency-based, but it was, like, stock market-based. So we got these guys that run a hedge fund, and they're making tons of money. 

Dave Bittner: Right. 

Joe Carrigan: And that guy looked at his website every day and was like, man, I'm killing it. And he eventually put all of his money into there. And then once he stopped putting money in, they shut it down and took his money and left. 

Dave Bittner: Right. 

Joe Carrigan: And that's what happens here. They shut down the - you know, they stop communicating with you. Your money is already gone the moment you send it to them once you've put a significant amount into it. But the last part of this article is really telling. I'm just going to read it. He says, it's easy - I guess this is Dan Goodin that it says this - it's easy to read the details of these scams and wonder how anyone could fall for them. Sophos and others say the victims who get taken in are often well educated, some with PhDs. Some of the techniques responsible for success include the length of the engagement the scammers have with the victim and the proof of the initial withdrawal is possible. Combined with the emotional vulnerability of some victims, the rise of app-based finance and the unwitting role played by companies like Apple and Google, these and other techniques have proven effective. So one of the major points that Goodin makes in this article is that when you go to the app store, especially the Apple app store... 

Dave Bittner: Yeah. 

Joe Carrigan: ...You generally have a high level of trust with the app that's in there by default. 

Dave Bittner: Right. 

Joe Carrigan: And these guys have found a way around it. Now, Apple and Google, immediately after being informed of this, removed these apps from the app store. But the dynamic content problem, I don't think there's a really easy technical solution to that. Maybe there's - maybe they can issue - you know, maybe they can monitor all the apps. 

Dave Bittner: Right. 

Joe Carrigan: I mean, but that's - there's a lot of apps in the app store. 

Dave Bittner: Yeah, hard to keep up. 

Joe Carrigan: Yeah. It's hard to keep up. That would be a large technical problem. 

Dave Bittner: Yeah. All right. Well, again, this article is over on Ars Technica. It's titled "Pig-butchering scam apps sneak into Apple's App Store and Google Play." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.