The CyberWire Daily Podcast 3.16.23
Ep 1781 | 3.16.23

CISA warns of Telerik vulnerability exploitation. Cloud storage re-up attacks. Phishing tackle so convincing it will deceive the many. Cyber developments in Russia's hybrid war.


Dave Bittner: Telerik is exploited for carding and other purposes. Cloud storage re-up attacks. Cybercriminals use new measures to avoid detection of phishing campaigns. Winter Vivern seems aligned with Russian objectives. Microsoft warns of a possible surge in Russian cyber operations. The Boss Sandworm. Johannes Ullrich from SANS talking about malware spread through Google Ads. Our guest is David Anteliz from Skybox Security with thoughts on federal government cybersecurity directives. And don't fear the Reaper. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 16, 2023.

Telerik exploited, for carding (probably) and other purposes.

Dave Bittner: We begin with a report of the widespread exploitation of a vulnerability in progress Telerik, a tool suite used for cross-platform application development. Multiple threat actors, including at least one APT group, were able to compromise a U.S. federal civilian agency via a known progress Telerik vulnerability in an IIS server, according to a joint advisory released by CISA, the FBI and the MS-ISAC. The advisory notes that the vulnerability allowed the attackers to execute code on the agency's web server. The organization's vulnerability scanner failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. CISA notes that a nation-state actor and a cybercriminal group both exploited the vulnerability. CyberScoop says the criminal gang, known as XE Group, is known for card skimming. The incident amounts to a software supply chain attack. 

Cloud storage re-up attacks.

Dave Bittner: Avanan, this morning, released a report detailing an attack that threatens deletion of personal files for the purpose of credential harvesting. Researchers share that the attack begins with a phishing email. The email says that the user's cloud storage is full and provides a link to get 50 more gigabytes for free. Of course, the link does not go to a legitimate cloud file storage site. Rather, it's a malicious link to a credential harvesting site. The site tells users to validate their account by inputting their credit card number, which will be charged by the threat actors and taken, if entered. 

Cybercriminals use new measures to avoid detection of phishing campaigns.

Dave Bittner: Barracuda has published a report looking at three novel phishing tactics being leveraged by cybercriminals. Attackers are using Google Translate links, image attachments and special characters to evade detection. The researchers found that during January 2023, 13% of organizations received phishing attacks that abused Google Translate. They state, "attackers use the Google website translate feature to send Google-hosted URLs embedded in emails that ultimately lead to phishing websites. In this type of attack, the attacker relies on a translation service to deceive the victim and hide the actual malicious URL. Google Translate is the most widely used service, but our security analysts have also seen similar attacks hosted behind other popular search engines as well." 

"Winter Vivern" seems aligned with Russian objectives.

Dave Bittner: SentinelLabs reports on recent activity by a quiet and relatively overlooked APT tracked as Winter Vivern. Their report this morning said, "our analysis indicates that Winter Vivern's activities are closely aligned with global objectives that support the interests of Belarus and Russia's governments. The APT has targeted a variety of government organizations and in a rare instance, a private telecommunication organization." Most of that espionage has been conducted against targets in Eastern Europe, and both CERT-UA and Poland's Central Bureau for Fighting Cybercrime (CBZC) are tracking the activity, which they characterize as criminal. SentinelLabs adds, "the threat actor employs various tactics such as phishing websites, credential phishing and deployment of malicious documents that are tailored to the targeted organization's specific needs. This results in the deployment of custom loaders and malicious documents which enable unauthorized access to sensitive systems and information. Some of that phishing involves impersonation of Poland's Central Bureau for Fighting Cybercrime itself. 

Microsoft warns of a possible surge in Russian cyber operations.

Dave Bittner: Microsoft reports that while Russian cyber operators have underperformed during the hybrid war, there are signs of a spike in both espionage and influence operations. Microsoft states, in 2023, Russia has stepped up its espionage attacks targeting organizations in at least 17 European nations, mostly government agencies. Wiper attacks continue in Ukraine. Influence operations have shown an interesting shift in attention toward Moldova. In a longer report on lessons learned over the first year of Russia's war, Microsoft concludes with a warning that future Russian operations are likely to fall into two categories - first, espionage purposes to understand military support and political deliberations of different nations and their commitments to the Ukrainian resistance; and second, potential hack-and-leak operations targeting key figures essential for support to Ukraine. So let those shields stay up. 

Boss Sandworm.

Dave Bittner: WIRED has a profile of Colonel Evgenii Serebriakov, the GRU officer who's running the Russian military intelligence service's Sandworm unit. Sandworm has been a problem with wipers, attacks on power distribution networks and other capers, but also a record of noisy stumbling around. WIRED writes, after half a decade of the spy agency's botched operations, blown cover stories and international indictments, perhaps it's no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face. Colonel Serebriakov was actually arrested in the Netherlands during a clumsy 2018 attempt to hack the Organization for the Prohibition of Chemical Weapons, the international organization then investigating the GRU's grisly attempt to use Novichok nerve agent to assassinate a GRU defector in the U.K. The target and his daughter survived. An uninvolved British bystander did not. It's unclear why the Dutch authorities released Colonel Serebriakov. He's still under U.S. indictment, although out of reach and working from some branch of the Aquarium, the nickname given to GRU headquarters in Moscow by those who work there. 

Don't fear the Reaper.

Dave Bittner: Russia is looking in the Black Sea for the wreckage of the U.S. drone Russian fighters forced down in international airspace on Tuesday, the Telegraph reports. While it was a kinetic knockdown - the Russian fighters dumped fuel on the MQ-9 Reaper and then collided with the drone's propeller - the incident has cyber implications. Should Russia be able to recover the MQ-9's wreckage, it would look for ways of extracting and exploiting data and data management systems the drone carried. U.S. operators are said, according to The Washington Post, to have wiped the MQ-9's systems before bringing it down some 56 nautical miles off the Crimean coast. Getting to the wreckage will be difficult, as the drone sank in water that's between 4- and 5,000 feet deep. General Milley, chair of the U.S. Joint Chiefs of Staff, said, we'll work through recovery operations. It probably broke up. There's probably not to recover, frankly. So, says the general, in effect, don't fear the Reaper. 

Dave Bittner: Coming up after the break, Johannes Ullrich from SANS talking about malware spread through Google Ads. Our guest is David Anteliz from Skybox Security with thoughts on federal government cybersecurity directives. Stay with us. 

Dave Bittner: At the federal level here in the U.S., there have been several binding operational directives issued by CISA and others mandating that federal agencies meet certain standards for asset visibility and vulnerability detection over the next few months. David Anteliz is senior technology director at Skybox Security, and he makes the case that putting these sorts of deadlines in place can have the unintended effect of putting the bad guys on notice. 

David Anteliz: When directives come out or these instructions come out from the Fed or whatever government agency, we usually find ourselves at an inflection point of, where do we need to pivot from? And oftentimes there's some confusion as to what is required, what is needed. You know, for instance, you know, CSAs offer guidance on, you know, vendors providing, you know, security up front and being more responsible for the security for their products that they offer. Oftentimes, that takes the onus off of the individual that is consuming the product or those that are purchasing product and don't necessarily understand that there is also a shared responsibility. So when you look at the landscape as a whole, often there's a lot of messaging, a lot of white noise and not necessarily a lot of exactly what do you need to do in order to secure your borders, so to speak. 

Dave Bittner: And so one of the points that I think you and your colleagues are making is that - as we come up on the dates of some of these operational directives being enforced, that it's sort of - it motivates the threat actors to come at some of these agencies. 

David Anteliz: Absolutely. It's almost like, hey. We're ringing the dinner bell for the wrong reasons, and we're trying to call everyone to the table to make sure everybody's secure. But, you know, the biggest, the baddest are going to run towards, you know, the food and try to get as much as they can before everybody else gets there. And the rest - you know, there's nothing left but scraps. That's the way I look at things in terms of - we're basically announcing to the world, we're trying to close up. We're trying to make sure that we are in a position of strength. But before we get there, we're also announcing that we are in a position of weakness. And therefore, it's almost like, hey, guys. Come get what you can. We got a couple windows left open. Come jump through there. Take what you want, and then we'll batten down the hatches a little bit later. So... 

Dave Bittner: Right. We're going to put up - we're going to put a fence up around this farm full of delicious food. And here's the day that's going up. That's an interesting perspective. So what do you suppose is to be done here given that reality? How should organizations be responding? 

David Anteliz: I think that there should be some level of collaboration - a measure of collaboration between the governments and, you know, the private sector. Again, there's this disparity about, you know, what the requirements should be and what they should be doing to attain a measure of security posture or, you know, improving their security posture. And when you leave it up to compliance or you leave it to some sort of governance, we're just addressing the nascent elements of the compliance. We're not going after it all. We're not taking a baseline approach to try to understand, well, what should we be focused on in order to make sure we secure our environments, our infrastructure, our product sets, our supply chain, all of that? 

David Anteliz: We're basing everything on what was given to us as a mandate. But we're not entirely sure that we've addressed all of those different pieces that are going to help us secure, you know, what needs to be secured. And because of that, we leave a lot of holes open. You know, there are a lot of holes that get exposed. For example, education plays a really big part in terms of, you know, cybersecurity. When we talk about phishing as - for example, it's very simple, very easy, very common these days. 

David Anteliz: You know, the city of Chicago, you know, in particular the Department of Aviation, back in 2019 experienced a very big booboo, if you will - a potential breach when they were provided - somebody was provided an email from one of their so-called vendors to basically - let's change the account. Let's pay out a million dollars plus to this individual. And the individual just, you know, bought it hook, line and sinker. Well, we've had mandates out there forever, you know, dictating, you know, what phishing and spear-phishing should look like. And this person - this individual with this type of control and power just bought into that email right - you know, really quickly and shifted all this money. Luckily, the bad guys didn't get the money, but it did expose a measure of - I won't say ignorance but just the, I guess, lack of thought in asking somebody, hey, should I be doing this? Should I be - you know, what's the process here? Who should I be talking to, you know, in order to approve this kind of large transaction? And should I be opening up these emails, you know, to begin with? That's been mandated a long time ago. 

David Anteliz: But again, because we have such vague wording out there and it's not pushed down, and, you know, there's this causality that happen - that unless it happens to you, nobody does anything. There isn't that measure of you need to get with the times. So again, kind of flowing down all the way down to the user level, the user level is looking at management to say this is what security looks like. Management is looking to the business to say, what do we need to secure? And the business is looking to regulatory and governance and compliance to say what should we be doing in order to secure? And when those things are out of lockstep, you end up with situations like that. 

Dave Bittner: Well, in your estimation, who is best equipped to oversee that sort of enforcement? 

David Anteliz: That's a good question because, obviously we, you know, at the federal level - and, you know, it's an overarching component. 

Dave Bittner: Right. 

David Anteliz: And that needs to filter on down to the state level and the states - you know, where these businesses can, you know, transact or conduct their business are beholden and paying their taxes to, right? So there has to be a shared responsibility, I guess, you know, from that aspect. I think there needs to be some measure of responsibility, both at the board level as well as the government level. And there has to be some coming together as to - we agree that if we do X or we don't do X in order to secure our data and it's found that we egregiously messed up, that we're going to get dinged. And it can be at the federal level. It can be at the local level. But I think because the mandates are coming down from the federal level, at this point, it has to be at the - you know, coming from that overarching umbrella. I don't know how much they can impose their will, though. 

Dave Bittner: Yeah. So not just shared responsibility, but shared liability as well. 

David Anteliz: Yeah, there has to be. And you're starting to see that kind of, like, where the boardroom is starting to grumble about these incidences, and they're starting to dictate pace with the CEO. The CEO is now going to start eating some of that. It's going to start carving into his bonuses and his salary. And as it should be. You know, if somebody gets fired at the lowest level for misconfiguring a router or switch or firewall or what have you, so too should a CEO for the direction that he's taken the company, especially, you know, for those that are directly reporting to him and have direct responsibility for maintaining security and posture of the organization. That's where we see mostly - when money is involved and it affects someone's pocketbook, I truly believe that that's where we're going to start seeing measurable success because we don't - they're not going to want to see something take a chunk out of their stipend just because somebody materially forgot to make a configuration change, or there was a whole process that got missed. 

Dave Bittner: That's David Anteliz from Skybox Security. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "Stormcast" podcast. Johannes, it's always great to welcome you back. We have been seeing some reports here about some malware coming through with Google Ads. I know this is something you and your colleagues are tracking. What do we need to know about this? 

Johannes Ullrich: Yeah, so this is something that I think has really become more and more of a problem these last few months. And we have observed, like, a number of cases, also documented them in our posts. The problem here is that malware actors are paying for Google Ads to impersonate well-known software. We have seen OBS, like the studio software. We have seen Audacity. We have seen some of those commercial software tools like Word and such, where when you're just searching for, hey, I want to download this particular software, the No. 1 search result is leading you to malicious software because it is a paid ad. And Google apparently has a hard time dealing with that. And it's very difficult for a user, even for a somewhat experienced user, to distinguish these malicious ads from valid links because often they're using a lookalike URL. So they're using slight variations of the domain name. And in particular with open-source software - like, one defense for them would be, hey, let's just buy another ad, pay more for ads. 


Johannes Ullrich: But free software, of course, doesn't really want to pay a lot for ads just to get malware out of the way. And then, of course, you're being led to a lookalike website, and you're downloading malicious software. Typically, what you're getting is something that looks like the real software with additional add-ons, whereas off the installer, they install the legitimate software, but they're also installing some kind of info-stealer or bot or whatever. 

Dave Bittner: So what's to be done here? I mean, I think most people, certainly consumers - they have a lot of trust in Google. 

Johannes Ullrich: Well, don't trust Google. That's, I think, the first thing here. And probably one of the simplest things that you can do is get an ad blocker. Now, when you're talking about the web and such and, you know, podcasts, you usually have this social contract. Hey; you're not going to pay for it, but you're going to listen to our ads. You're going to view our ads. But that also, I think, assumes that these ads are somewhat curated and are not outright malicious like what we're having here with Google. So I think insofar - definitely running an ad blocker is probably a first line of defense against this particular attack. Other than that, you know, just be extremely careful as to what you download, which is a good idea anyway. But like I said, in this case, it's sometimes hard to tell if it's malicious or not. One little trick that you can use is VirusTotal. VirusTotal is pretty good in finding these or flagging these malicious binaries that you may be downloading. Interestingly, VirusTotal is owned by Google, so at least have Google help you out here defending yourself against Google. 

Dave Bittner: Against Google. 


Johannes Ullrich: But it would be nice if Google would just do it themself before they accept ads and such. But... 

Dave Bittner: Right. 

Johannes Ullrich: I guess it's just a matter of sort of there's no self-serve ad economy. They set up their - they just let everybody place ads, and sometimes these ads are then also sort of placed through third parties and sort of reselling ads. So it's a fairly complex kind of ecosystem, and that doesn't help here. 

Dave Bittner: Yeah. I mean, it goes - I find myself saying often that, you know, you'll hear the tech companies say, oh, well, we can't monitor this at scale. We can't do this at scale. And my response is, if you can't do that at scale, then maybe you shouldn't do that at all. 

Johannes Ullrich: Yeah. For Google, it's just their business concept to take your data and then resell it to better place ads. So it sort of goes at the core of their business, which I think makes that more difficult to them. 

Dave Bittner: Yeah. It's remarkable, though, that somebody can make it to the front page of Google - you know, the top search results - with something that is a scam. And ultimately, that - you'd think that would be against Google's best interest. 

Johannes Ullrich: Yeah, and we have seen Google fight back somewhat against, like, search engine optimization where people didn't pay. They just placed links on various websites. Many, many years back - I think it was a decade back - we had, like, a case where there was an earthquake in Chile. And what we noticed is that within minutes of that earthquake, which is an unpredictable event, the top search results when you search for earthquake in Chile was malware or malicious links. 

Dave Bittner: Wow. 

Johannes Ullrich: Now, at that point, what we found was there was actually a bot that monitored the Google trends, the top search queries, and then automatically updated, like, thousands of WordPress sites they had compromised in order to add spam links and amplify their links. But they didn't pay Google, so Google actually does now a pretty good job against this kind of search engine optimization or black hat search engine optimization, as it's sometimes called. That doesn't happen as much anymore. But, hey; they still take your money, and... 

Dave Bittner: (Laughter). 

Johannes Ullrich: That's the surefire way to be the No. 1 result when you're doing a search. 

Dave Bittner: Yeah. Boy, that - the cat and mouse continues. 

Johannes Ullrich: Last year there was one case where even Google Chrome - when you searched for Google Chrome, you got a malicious link at top. 

Dave Bittner: Wow. 

Johannes Ullrich: That no longer happens, so they must have put some block in there that nobody can advertise Google Chrome. But yeah. 

Dave Bittner: Buyer beware, right? 

Johannes Ullrich: Yes, buyer beware. And like I said, ad blocker is probably your best bet at this point. Get something free from a reputable source that doesn't replace Google ads with other malicious ads. 

Dave Bittner: All right. Well, Johannes Ullrich, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by Jon Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.