PlugX is now wormable. Compromised webcams found. Emotet is back. AI builds a keylogger. Cyber in the hybrid war. BEC comes to productivity suites.
Tre Hester: A wormable version of the PlugX USB malware is found. Compromised webcams as a security threat. Emotet botnet out of hibernation. AI used to generate polymorphic keylogger. Turning to alternatives as conventional tactics fail. Dave Bittner speaks with Eve Maler of ForgeRock to discuss how digital identity can help create a more secure connected car experience. Johannes Ullrich from SANS on configuring a proper time server infrastructure. And phishing messages via legit Google notifications. From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Thursday, March 9, 2023.
A wormable version of the PlugX USB malware is found.
Tre Hester: Sophos is tracking a new version of the PlugX USB trojan. The researchers say the novel aspect of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm. PlugX is a known malware variant that can spread via USB sticks, which can sometimes allow it to access air-gapped systems. The malware is currently spreading in African countries, with infections observed in Ghana, Zimbabwe and Nigeria. The new variant was also observed in Papua New Guinea and Mongolia. Sophos believes this campaign is linked to the Chinese APT Mustang Panda, which has been known to use this malware in the past.
Compromised webcams as a security threat.
Tre Hester: BitSight has published research finding that 1 in 12 BitSight-tracked organizations with internet-facing webcams or similar IoT devices are susceptible to video and/or audio compromise. The researchers were able to access cameras monitoring access-controlled spaces and in some cases could have eavesdropped in sensitive business areas. Quote, "Exposed devices in our analysis are either misconfigured or suffer from a software vulnerability. The former could arise because the user failed to set a password, while the latter is typically attributable to a specific kind of access control vulnerability called an insecure direct object references vulnerability. Either way, the video/audio feed should be protected by access control measures but is not. Therefore, the device's security controls can be bypassed, allowing an attacker to view video feeds and/or eavesdrop on conversations. Sophisticated attackers could also potentially alter exposed feeds," end quote.
Tre Hester: Most of the exposed organizations are in the education sector, and the researchers note that the increased presence of minors at these educational organizations could present additional challenges to personal privacy and security.
Emotet botnet out of hibernation.
Tre Hester: Emotet, long familiar on the cyberthreat scene, had gone relatively quiet, but it returned earlier this week. Bleeping Computer writes that Emotet has been observed sending emails once again despite the effectiveness of Microsoft security in blunting Emotet attacks. Cybersecurity firm Cofense reports that malicious activity from the Emotet malware family was observed beginning again on Tuesday morning. Cofense told Bleeping Computer that the campaign resumed at 7 a.m. Eastern Standard Time, saying, quote, "Volume remains low at this time as they continue to rebuild and gather new credentials to leverage and address books to target," end quote.
Tre Hester: The emails in the newer campaign purport to be invoices rather than reply chain emails. Inside the invoice attachment lies a document with Emotet's Red Dawn template that prompts users to enable content and editing. If a user enables the editing, a slew of macros will download to the Emotet loader and allow it to run in the background. This could potentially lead to more dropped payloads, researchers say.
Proof-of-concept: AI used to generate polymorphic keylogger.
Tre Hester: Researchers at HYAS have developed a proof-of-concept strain of polymorphic malware that uses OpenAI's API to evade detection. The malware, which the researchers call BlackMamba, is a keylogger delivered as an apparently benign executable. Once executed, however, BlackMamba will reach out to OpenAI and request that the AI generate keylogging code. Quote, "It then executes the dynamically generated code within the context of the benign program using Python's exec() function with a malicious polymorphic portion remaining totally in-memory. Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic. BlackMamba was tested against an industry-leading EDR, which will remain nameless, many times, resulting in zero alerts or detections," end quote. The researchers can then exfiltrate the captured data via legitimate communication and collaboration tools.
Turning to alternatives as conventional tactics fail.
Tre Hester: The U.S. director of national intelligence, Avril Haines, yesterday predicted to the Senate Intelligence Committee that Russia could be expected to turn to alternative forms of military power as its conventional forces continue to fail on the battlefield. Quote, "Russia will become even more reliant on asymmetric options, such as nuclear, cyber, space capabilities and on China," end quote.
Tre Hester: Such alternatives, especially cyber, have seen their own challenges. Bloomberg reviews, again, the difficulty Russia has had mounting effective cyber offenses against Ukraine and Ukraine's allies. Some of this is due to deterrence, but much of the failure is credited to effective Ukrainian defenses. There has also been evidence of Russian inability to sustain focused cyber offensives over a period of time long enough to have a decisive effect. It has, for example, proven more difficult than anticipated for Russian services to maintain unity of effort in the criminal gangs they rely on as auxiliaries. Some of those gangs, like Conti, splintered over Russia's war.
Tre Hester: That said, the gangs remain important to Russia's cyber operations, and the governments of nations sympathetic to Ukraine are not disposed to overlook gangland's close connections to Russia's intelligence and security services.
Phishing messages via legitimate Google notifications.
Tre Hester: And finally, Avanan warned this morning that an ongoing phishing campaign has abused comments in Google Workspace documents to target nearly a thousand companies over the past two weeks. The researchers explain that an attacker can create a free Google account, then simply mention the targeted user in a Google sheet. The target will then receive a legitimate notification from Google informing them that they've been mentioned in the document. If the recipient clicks on the Google Scripts link included in the email, they'll be redirected to a phony cryptocurrency site.
Tre Hester: While the delivery technique is effective, Avanan notes that the social engineering aspects of this particular campaign could use some grammatical refinement. The message written by the scammer states, quote, "hello, dear users of the system. They wrote to you to the account the withdrawal of cash. Nevertheless, you have not ordered a withdrawal," end quote. Avanan cautions, however, that users should be on the lookout for more sophisticated campaigns using this technique. So stay alert, friends.
Tre Hester: Coming up after the break, Dave Bittner speaks with Eve Maler of ForgeRock to discuss how digital identity can help create a more secure, connected car experience. And Johannes Ullrich from SANS speaks on configuring a proper time server infrastructure. Stick around.
Dave Bittner: With consumers demanding connected cars that not only get us where we need to go, but also seamlessly integrate with our digital lives, automakers are striving to strike that balance between user experience and information security. Eve Maler is CTO of identity and access management software company ForgeRock.
Eve Maler: So McKinsey is predicting 95% of cars will be connected cars shipping by 2030. Honestly, it's hard to find a car that doesn't come with a SIM card these days.
Dave Bittner: Yeah, you know, I like to joke that my favorite iPhone accessory is my car, and I think that that reflects that we're really relying on our cars to interface with our mobile devices. And indeed, I think it's a major consideration when folks are shopping for cars these days. But what about the cars themselves? When it comes to that interaction, how are they treating our security and privacy?
Eve Maler: You know, there's still a gap, a pretty big gap, when cars are looking at the security and privacy prospects. Part of it really is the API security. You know, cars have APIs now, and who's calling those APIs? Oftentimes we discover that they're not protected. And oftentimes we discover that the protection is a weak form. It's really weaker than we know to do when it comes to web security these days. And honestly, any car with a browser window, which a lot of them have, is functioning as, you know, a very sophisticated mobile device.
Dave Bittner: Well, for folks who aren't familiar with how this works in the automotive world, I mean, how are cars using APIs? And how does that interact with our devices and then, you know, hit the rest of the real world?
Eve Maler: Yeah. So, you know, connected cars are giving us not just a way to get from Point A to Point B, they are digitizing an experience. And, you know, I share your kind of experience about, you know, having Apple CarPlay and iPhone integration being a really big part of my driving. And so there's a lot of data feeds, from, you know, oil levels to tire pressure as it changes as you drive to music subscription services and car navigation services. So it's really a compendium of different services that function very much like ordinary connected services function.
Eve Maler: They have APIs. They need to be connected a lot of the time. And those APIs are called by various client applications that are looking up information and feeding information back into the driver's environment. And so the way that they should be secured is through, you know, some of the best practices that we know now where you use access tokens using OAuth technology that can be refreshed quite frequently. And in fact, a lot of them are not secured in such a fashion, and they're using static secrets that function like passwords. And we know that this is often leading to what I think of as identity theft in the car API ecosystem, where, you know, if you get a compromised secret that functions like a password, then anybody can interact with a car, make it do things that the driver really does not want it to do, and that's quite dangerous.
Dave Bittner: What are some of the specific concerns here? Are we talking about, you know, location where people are traveling? What sort of things do we need to keep an eye out for here?
Eve Maler: Well, it could amount to controlling the car's functions. If you have autonomous functions, for example, what if those were taken over? It could replace known good data around navigation with suspect data. So, you know, the classic challenges of cybersecurity around confidentiality and integrity and availability - all of those things could be compromised. And they could result not just in, you know, a digital security hole. They could result in personal safety risks.
Dave Bittner: I'm trying to imagine how something like this would work. I mean, can you describe for us - is there some sort of - I don't know - a future where we have some sort of onboarding with our new vehicle or every time we get in a car we haven't been in before? What do you envision?
Eve Maler: Yeah, actually, I mean, I've got a pretty good bead on it because we work with a lot of the automotive OEMs who are looking to solve problems like ensuring that a digital key for a car, which can often be your phone, be shared with other people that you want to give the right to drive your car, for example. And so the infrastructure that's needed to make that happen - it turns out to involve what might look like classic identity and access management, carefully orchestrated across environments like, you know, digital mobile devices, the car itself, the person who, let's say, ordered the car. The car may not exist yet. Believe it or not, that car has an identity and can be tracked, oftentimes through the manufacturer process and through the process of delivery to the new owner. So really, identity and identity relationships form a core part of the security strategy, the privacy strategy, and really the digital experience strategy.
Dave Bittner: What about when you're ready to part ways with your vehicle? You know, we've heard stories about folks who sell a car and then the next owner has access to their personal information. Or indeed, someone sells a car, and months later they still have access to remotely start the car or, you know, things like that.
Eve Maler: Yes. You know, this is one of those - sometimes it's a little bit of a blind spot even in enterprise security - the need to deprovision access, to change authorization policy, to disallow certain actions. So, you know, one of the hardest problems is ensuring that you've got a really clean picture of, let's say, offboarding an employee who just left yesterday, and you don't want them to get access to all of the resources they had access to before. It's much the same proposition, only it needs to be translated into consumer scale. And it's very much, as I say, an identity and access management proposition. And it needs to be made easy, convenient and valuable to folks who are interacting with these very sophisticated devices.
Dave Bittner: Are we at the point yet where this needs to be a concern for people who are out there shopping for their next car? Are there questions they should be asking at their dealerships?
Eve Maler: I think so, actually, you know, particularly when a car is such a valuable, sophisticated product, which comes with subscription opportunities of its own. It's important for people to get a sense of comfort that they are working with a trustworthy manufacturer of this vehicle and a trustworthy integrator of all the many, many services, including third-party services, that make up that kind of package of value that a connected car represents.
Dave Bittner: That's Eve Maler from ForgeRock.
Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC StormCast podcast. Johannes, it's always great to welcome you back. I know you want to touch today on this notion of time servers and configuring them properly. What can you share with us today?
Johannes Ullrich: Yeah, thanks for having me back again, Dave, and time - maybe a little bit of an obsession of mine with sort of my physics background back in the day. I actually almost got a job to help NIST define the kilogram out of school back then, but - well, anyway, that didn't happen. So now I'm stuck with time servers, networks. The - what this is really about is pretty much any operating system these days, even IoT devices, synchronize time automatically. And by default, they come configured with some kind of time server that they reach out to, that they connect to. There are a couple tricky issues with this.
Johannes Ullrich: Now, often, in particular sort of open source Linux IoT uses this NTP pool. This is a pool of a couple thousand NTP servers that volunteers basically contribute. And really like anything volunteers contribute, sometimes it works, sometimes it doesn't work. There is no 800 number to call and complain about if it doesn't work. So we did a little bit of work and looked at how accurate is actually - are these open time servers. Turns out they are very accurate if they respond. They are sort of within a few milliseconds, which is perfectly fine for, you know, what they are meant to do.
Johannes Ullrich: But aside from the accuracy, there's a little bit of another problem. Whenever you're reaching out to another network device like this, you're basically giving away information. For example, Shodan stated that one problem they're going to - one way they're going to solve the problem of scanning IPv6 is - well, they can't scan the IPv6 address space, so they're just going to add some NTP servers to that pool with IPv6 addresses. And whenever you connect to them to get the new time, you basically give away your IPv6 address, and they'll scan you and then add to a database as a possibly exposed device over IPv6. Also, there are different variations of software that is used for time synchronization that uses slightly different flavors of the NTP protocol. And with that, you know, an attacker, for example, could figure out what operating system you're running or how recent your operating system is.
Johannes Ullrich: So a lot of things that you're kind of giving away and that you probably need to consider, and I think one reason why you want to control time, you want to take it over and really sort of set up an NTP infrastructure and architecture around it, just like what you're doing for DNS and other protocols.
Dave Bittner: So is it something that you would run internally?
Johannes Ullrich: Yeah. So the first step that you can do is you run an internal time server. Again, there's open source software to do it. A small virtual machine is all you really need. And then that time server synchronizes with these external sources, so that would be the only system exposed. And all your internal servers will then connect to that one master clock inside your network.
Johannes Ullrich: It has the other advantage that this kind of gets your clocks more synchronized inside your network. And what you're often more interested in than having, like, the absolute time is that the time is synchronized within your network. Like, it probably doesn't really matter if the time on your laptop is off by a second, as long as everything on your network is off by a second. And that way, if you're trying to compare logs and such, you're finding the right logs that you're looking for.
Dave Bittner: Yeah. I mean, that's fascinating. I - as things can continue to get faster - network speeds and, you know, processor speeds and all that kind of stuff - does the degree to which the accuracy of the notion of an absolute time - does it matter?
Johannes Ullrich: It can matter in some cases, like authentication, for example. Protocols like Kerberos and such are somewhat sensitive.
Dave Bittner: Yeah.
Johannes Ullrich: It's relatively straightforward to sort of get millisecond accuracy. That's what you can do with open source software. The next step up from sort of having this one centralized time server is you can buy little appliances that use GPS to synchronize time and act as an internal time server. So now you don't need any outbound network connection. And those devices are not terribly expensive. They're sort of in the $200 range of the low-end ones that you can get and, of course, no limit to the upper end.
Johannes Ullrich: And then, of course, depending on if you want to be really accurate, you can use other protocols and such to synchronize time across systems. But something like this is definitely affordable for a small business, a little time server appliance like this. And it just sort of takes care of it, and you don't really have to worry about it going forward. The accuracy, the absolute accuracy of one millisecond, I would think is pretty much good enough for all sort of current applications unless you have some very specific needs.
Dave Bittner: Oh, man, this is totally a rabbit hole I could go down, and, you know, compensating for relativistic effects and all that kind of stuff, right?
Johannes Ullrich: Yeah. Actually, you can buy, like - no, these GPS satellites - they have atomic clocks inside, mini cesium clocks.
Dave Bittner: Right.
Johannes Ullrich: You can buy your own cesium clock if you want to. On eBay, they can sometimes be found at a reasonable price - reasonable being sort of, you know, 1 to $2,000 kind of. Yeah. I don't think it's really necessary for most applications. Facebook publish a lot about what they're doing to actually get sort of nanosecond and better synchronization across their network. They sort of came up with some custom network cards and plug-ins for that to do it.
Johannes Ullrich: 5G networks - that's sort of where the speed matters. And the faster these networks get, the more critical for them it is to, like, synchronize frequencies - that your phone and the tower, when they're dialing in a certain frequency, it's actually the same frequency. So that's also where some of these time standards come in and matter and have to be now very accurate with these faster speeds.
Dave Bittner: Yeah. Reminds me of the old quote allegedly from Yogi Berra. They said, hey, Yogi, what time is it? And Yogi said, you mean now?
Johannes Ullrich: (Laughter) Yeah. Or that's the other quote that's often said with - particularly with NPT. If you have one clock, you know what time it is. If you have two, you're never sure.
Dave Bittner: Right. Right. All right. Well, Johannes Ullrich, thank you for taking the time for us today.
Johannes Ullrich: Thank you.
Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. This CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. The show is written by John Petrik. Our executive editor is Peter Kilpe. And I'm Tre Hester, filling in for Dave Bittner. Thanks for listening, and we'll see you back here tomorrow.