Some movement in the cyber underworld. Vishing impersonates the US Social Security Administration. More SVB-themed phishing. And compromise without user interaction.
Dave Bittner: The BianLian gang's pivot. HinataBot is a Go-based threat. The U.S. Social Security Administration is impersonated in attempting vishing attacks. BlackSnack in the ransomware-as-a-service criminal market. More Silicon Valley Bank-themed phishing. Caleb Barlow from Cylete on security implications you need to consider now about ChatGPT. Our guest is Issac Roth from LeakSignal with advice on securing the microservices application layer. And Russian operators exploit an outlook vulnerability.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 17, 2023.
BianLian gang’s pivot.
Dave Bittner: Researchers at security firm [redacted] say the ransomware gang BianLian has shifted its primary focus to data theft extortion rather than encryption. As part of its pivot, the gang has been putting more effort into tailoring their ransom notes to specific victims. [redacted] says, in several instances, BianLian made reference to legal and regulatory issues a victim would face were it to become public that the organization had suffered a breach. The group has also gone so far as to include specific references to the subsections of several laws and statutes. While the applicability of the laws to the victim and their data referenced by BianLian would need to be assessed by the courts, at first glance, the laws referenced by the actors did in fact correspond to the jurisdiction where the victim was located.
HinataBot: a Go-based threat.
Dave Bittner: Akamai is tracking a new Go-based botnet the company calls HinataBot, which is designed to launch DDoS attacks. The malware is still under development, and the researchers believe its creators are attempting to imitate elements of the Mirai botnet. Akamai says there have been numerous public attempts to rewrite Mirai in Go, and HinataBot appears to follow a similar structure of some of these attempts. For example, the way HinataBot sets up communication in its main method and the way it parses commands and begins attacks in its attack methods resemble the structure used in other Go-based Mirai variants.
US Social Security Administration impersonated in attempted vishing attacks.
Dave Bittner: Armorblox yesterday released a report detailing a vishing, or voice phishing, attack impersonating the U.S. Social Security Administration. Researchers report that the attack begins with a phishing email. The email purports to be from a sender under the name of Social Security Administration-2521. The email utilizes a sense of urgency to get the victim's attention, claiming that the user's Social Security number was suspended due to erroneous and suspicious activities. Included is an attached PDF file claiming to be a letter of suspension that appears, when opened, to be on the letterhead of the Social Security Administration. Included at the bottom of the file is a phone number for contact information if the user requires help. The hackers' end goal of the phishing attack is to get the victim to call the fraudulent number and reveal sensitive information.
BlackSnake in the RaaS criminal market.
Dave Bittner: Netskope has published a report on the BlackSnake ransomware-as-a-service operation, which first surfaced in August 2022. A new version of the ransomware was observed on February 28, containing a clipper module designed to steal cryptocurrency information. The malware appears to be targeting home users rather than corporations, since it asks for ransom amounts as low as $20. As a result, the researchers suspect that BlackSnake is perhaps still under development or that they don't have affiliates at this point.
More Silicon Valley Bank-themed phishing.
Dave Bittner: INKY describes a phishing campaign that's impersonating Silicon Valley Bank with phony DocuSign notifications - stating, email recipients are told that the KYC Refresh Team sent two documents that require a signature. KYC is a banking term that stands for know your customer or know your client. It's a mandatory process banks use to verify an account holder's identity. Of course, in this case, the phisher is using it to convey a sense of legitimacy to its intended victims. If the recipient clicks the link, they'll be taken to a spoofed Microsoft login page designed to steal their credentials.
Russian operators exploit an Outlook vulnerability.
Dave Bittner: And finally, more researchers have been following Bear's spoor through vulnerabilities. APT28, the GRU's Fancy Bear, has made considerable use of an Outlook vulnerability, CVE-2023-23397, against its targets. Cybersecurity Dive reports that attacks using the exploit have been used against organizations in Ukraine, Turkey, Romania, and Poland since last April. Deep Instinct offers a detailed account of how the exploitation has played out in the GRU's cyber operations and concludes with the following advice.
Dave Bittner: While we found evidence of attacks starting in April 2022, there is a possibility that it was exploited even earlier due. To the fact that we used only publicly available data, the actual scope of attacked targets could be much higher. Microsoft attributed the attacks to a Russian-based threat actor. However, public evidence might suggest another threat actor exploited the vulnerability as well. Since the attack does not require user interaction, we urge everyone using the Outlook application to patch their systems as soon as possible. We also suggest running the PowerShell script provided by Microsoft to find retroactively malicious emails in the exchange server."
Dave Bittner: CVE-2023-23397 is unusual because it doesn't require user interaction to trigger exploitation. As researchers at Huntress who have been investigating the vulnerability point out, once an infected email arrives in a Microsoft Outlook inbox, sensitive credential hashes can be obtained.
Dave Bittner: We point out in full disclosure that Microsoft is a CyberWire partner, and that Redmond offered both a patch and other remediation advice for Outlook users in this week's Patch Tuesday. Microsoft Threat Intelligence has also discovered what it characterizes as a limited, targeted abuse. Note - targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN Manager credential theft. Microsoft strongly recommends that users apply the update. The vulnerability only affects products that use NTLM authentication. Microsoft explains, online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages.
Dave Bittner: Coming up after the break, Caleb Barlow from Cylete on security implications you need to consider now about ChatGPT. Our guest is Issac Roth from LeakSignal with advice on securing the microservices application layer. Stay with us.
Dave Bittner: Microservices container architecture is a system of software development that allows developers to write and deploy individual services independently of each other. It generally allows for fast, reliable deployments and makes it easier to scale services up or down as needed. Issac Roth is CTO and co-founder of data exfiltration prevention and remediation company LeakSignal, and he joins us with insights on securing the microservices application layer.
Issac Roth: Microservices is an architectural pattern - that's a way you would build an application - and it speaks to something about how the inside of it is implemented, where the functions that make up the application are divided into services. In the past, these might have been called functions or subroutines. But these days they are divided into what's called services, and each service operates and runs in a cloud environment separately.
Dave Bittner: And what's the benefit of choosing this approach?
Issac Roth: Right. And there is debate in the world about whether it's a good approach, but it's been embraced by many, many teams. And some of the benefits that people get from this are the separation of concerns. So if you have a service which handles updating a particular part of the customer profile or you have a service that updates inventory, those are kept separate. And the main thing that that allows people to do is achieve development velocity. So a team can be working on update inventory, and a team can be working on update customer profile. And they can work really quite independently of each other, and they can iterate. They don't even have to talk to each other that much as long as they share an API understanding. So this leads to development velocity.
Issac Roth: And then the other thing that it helps is that the separation means that a different team can use - like, a team that's doing shipping versus a team that's doing ordering can both interact with the update inventory service independently. And they also don't have to be tightly coordinated with each other. So it really leads to the ability to scale development efforts and work more quickly.
Dave Bittner: And so what are the downsides, then?
Issac Roth: The downsides are operational complexity. So there's more pieces that have to move, more things that must be operated and maintained. And we have frameworks that have emerged to help with this. So Kubernetes is one that is really common and various cloud Kubernetes services - the one that I worked on, Red Hat OpenShift, is a clear leader there - that help orchestrate the runtime complexity of having so many microservices that loosely coordinate with each other.
Dave Bittner: Well, let's dig into some of the security concerns here. What are people keeping an eye out for?
Issac Roth: Yeah. So if you look at microservice security, it's maybe helpful to think in layers that correspond to the traditional layers that we might be used to in a previous architecture. So the equivalent of the system layer, which would be servers in - or virtual machines, is now the kind of container layer. So the infrastructure layer is what it's called here. So in microservices, you would have the Kubernetes or the infrastructure or the cloud layer. Then you've got a networking layer. In the old days, that would be sort of switches and routers and things. In this architecture, that's all a virtual network. And that layer is actually called the data plane. So it's running on top of that other - that older stuff, switches and routers. Those are still there, but they're all virtualized. And now the services talk to each other over a data plane. And then you have the application code and all of its dependencies. And so many people think of that as kind of the app layer that would map to traditionally what you would experience at the app layer.
Issac Roth: So I think it's helpful to think of, like, those three layers in terms of the runtime and then other traditional things that you would have, such as perimeter security also exist and aren't too different in this environment. It's just that the middle is quite a bit more complicated because rather than sort of an app running on a server or an app running on a cluster of app servers, that is now this constellation of microservices that are all speaking to each other over a data plane and running on a dynamically scaling container orchestration system.
Dave Bittner: Yeah. What could possibly go wrong, right?
Issac Roth: Right.
Dave Bittner: (Laughter) What are the common approaches here for folks to secure this type of system? How are they coming at it?
Issac Roth: Yeah. So there's a new category of product that's emerged kind of at each of the layers. So one of the things happening in perimeter security is that some of that is coming into being kind of native or cloud-native in the - so cloud-native is a term that, unlike what people immediately think - that it means native to the cloud - it specifically means the Kubernetes architecture and the surrounding ecosystem. So some of the perimeter security stuff that would have run in, let's say, firewalls and CDNs has come closer in to run inside the infrastructure. At the lower layer, the infrastructure layer, there's a set of products that help to secure that. So CSPN cloud security, posture management and CNAP, cloud-native application platform, security products - those are helping to secure that. Then there's the data plane layer that needs to be secure, sort of the new networking layer. And that's where our company leak signal, along with others, try to help. And then the app layer is really about the supply chain of the code and sort of static analysis on the code, which is not too different than it used to be. A lot of the tools used from other architectures are still irrelevant there.
Dave Bittner: What are your recommendations for folks on the security teams who want to work with their development teams to make sure that everything goes smoothly here?
Issac Roth: Yeah. This is - I think what you just pointed out is the recommendation - is that it's - security teams need to learn about this architecture. And, well, it's fun. There's something new here. And it's exciting. So I find it fascinating. It's - if you lived through a previous technology transition where there was new things to learn, you know, maybe it was Java app servers or maybe it was VMware virtualization, this is another one, and it's fun. There's really cool stuff. And the scale is better - is bigger, and the tooling is neat. So definitely just learning about it and asking the developers to show you, how does this work? What are some of the consoles? What are some of the information available?
Issac Roth: So the collaboration is important, as it has been in previous architectures. And then realizing that there's new tooling needed, and that stuff has to plug into existing processes. So whether you use our thing, LeakSignal, or any of these other things that help with the different layers, those still have to operate in the existing enterprise security environment. So they have to connect in. They have to be configured with the same sort of policies. They have to be customized to the particular needs of the business, as with anything. And that's what the security professionals add. So the collaboration is understanding the technical operational runtime environment and then translating the security policy and posture into that environment, probably along the way adopting the various tools that are needed to help secure this environment.
Dave Bittner: That's Issac Roth from LeakSignal.
Dave Bittner: And joining me once again is Caleb Barlow. He is the founder and CEO at Cylete. Caleb, great to have you back on the show. A hot topic these days is, of course, ChatGPT. And I know you've got some views on this, some information you'd like to share, potential security implications here. What do you have for us today?
Caleb Barlow: Well, if you haven't checked out ChatGPT yet, I'm surprised you're listening to this podcast 'cause it's more popular than a Taylor Swift concert, right?
Dave Bittner: (Laughter) Certainly among this crowd, yes.
Caleb Barlow: So I'm going to assume most of this crowd has already played around with it and is probably using it to write most of their emails, right?
Dave Bittner: (Laughter) Yeah.
Caleb Barlow: You know, I really wanted to kind of position this and say, OK, what are some things we need to think about as security professionals right now, now that we've entered this ChatGPT world, which - let's face it - is as significant as the invention of the smartphone or the personal computer? Now, the most obvious issue is that phishing now becomes spear phishing. So, you know, remember the Nigerian prince that used to write you all those phishing emails circa 2005?
Dave Bittner: Sure.
Caleb Barlow: You know, needing to exfiltrate money from the country, if you would only help him. Well, guess what? The Nigerian prince now has ChatGPT. And it is so easy to write a spear phishing email it is mind-boggling.
Dave Bittner: With perfect English, perfect...
Caleb Barlow: Yes.
Dave Bittner: You know, a lot of those red flags are gone.
Caleb Barlow: So just to give you an example, again, for the - you know, for the folks that haven't tried this yet, I went out on social media, and I said, I need to find something very unique about Mr. Bittner that I could use for spear phishing him.
Dave Bittner: Uh-oh (laughter).
Caleb Barlow: And I found out that you happen to be a world expert on Jim Henson's Muppets.
Dave Bittner: I know a thing or two, yes (laughter).
Caleb Barlow: So I asked ChatGPT - because, remember, you can't ask ChatGPT to write a phishing email.
Dave Bittner: Right.
Caleb Barlow: It'll pop up with a little thing that says, you're not supposed to use me for that. It's...
Dave Bittner: Yes.
Caleb Barlow: It's a violation of the EULA, which, of course, everybody really worries about if you're into cybercrime.
Dave Bittner: Right.
Caleb Barlow: So I said, hey, ChatGPT, write Mr. Bittner an email from a high school student working on a project on Jim Henson's Muppets.
Dave Bittner: OK.
Caleb Barlow: And tell me if you'd click on this.
Dave Bittner: Yes.
Caleb Barlow: Mr. Bittner, I hope this email finds you well. My name is Sandra. I'm a high school student currently working on a biography of Jim Henson for a school project. I came across your name as an expert on Jim Henson and the Muppets, and I was hoping to ask for your help. I'm particularly interested in learning any little-known stories or interesting anecdotes about Jim Henson and the Muppets that I might find - might not find in a typical biography. I know you have a wealth of knowledge and experience on the topic and would be grateful for any insights you could provide. In addition, I'd be very grateful if you could look at the biography I've written so far and provide any critiques or feedback you might have. I'm always looking for ways to improve my writing and research skills, and I value your perspective as an expert. I look forward to hearing back from you. Sincerely, Sandra. Tell me you wouldn't click on that.
Dave Bittner: (Laughter). Hook, line and sinker, Caleb. Hook, line and sinker.
Caleb Barlow: I mean, now, understand...
Dave Bittner: Yeah.
Caleb Barlow: ...The only thing with this was one prompt of - well, two props.
Dave Bittner: Yeah.
Caleb Barlow: One, Dave Bittner is an expert on Jim Henson and the Muppets.
Dave Bittner: Yeah.
Caleb Barlow: And two, write a - well, I didn't say phishing email. Write an email on my high school project. Everything else it did on its own. So here is the...
Dave Bittner: Yes. Stroked my ego. Yeah, I mean, it pushed all my buttons. Of course, why wouldn't I help this person? I want to be helpful.
Caleb Barlow: And why wouldn't you click on the attachment?
Dave Bittner: Yes, yes. Yes.
Caleb Barlow: Right? I know you well enough to know you would totally fall for this, right?
Dave Bittner: I would, yes.
Caleb Barlow: OK.
Dave Bittner: You're absolutely correct. I would.
Caleb Barlow: So here's the thing, folks. You have to change how your executives and your team thinks about unsolicited email anymore. Any link, any attachment is now persona non grata because you are going to get stuff like this, and it's going to take a whole of a nanosecond for your average phisher to become a spear phisher now with ChatGPT. So first things first - you got to educate your executives. Not all emails need to be responded to, especially if they're unsolicited. And anything now from an unknown source has got to be questions.
Dave Bittner: Yeah, I think you got to - what's the word for it? - predetonate those links, right?
Caleb Barlow: Yes, absolutely. And you know what? There are tools that will do that.
Dave Bittner: Yeah.
Caleb Barlow: But also, if you're the CEO, the CEO no longer opens unsolicited email, hard stop. Some staffer with a throwaway laptop - ideally, you know, a virtual machine needs to be doing this. It's - seriously, it's...
Dave Bittner: (Laughter) In an island in the middle of the Atlantic (laughter).
Caleb Barlow: Exactly. I mean, this stuff is just way too dangerous. It's also - you know, every sales person is going to be using this to, you know, solicit sales calls now, too, versus the, you know, random blast thing. But the biggest issue I see is your intellectual property. So, you know, remember that the thing that's so incredible about these tools is not only are they powerful for writing, but they're learning based on what you ask for and your response to that. So there's a feedback loop here. So let's just say, you know, you happen to have the secret formula to a soft drink that you developed - right? - that no one in the world knows, and you're writing an internal memo about the ingredients. You put that into ChatGPT - it's going to learn it. And I think we really run the risk either with this or future variants of AI tools where - you know, I mean, think of something really simple like a recipe, right? OK, you've got a secret ingredient. It's now going to say, hey, I know Dave puts this ingredient in.
Dave Bittner: Right.
Caleb Barlow: Why wouldn't Caleb be interested in that ingredient? And the next thing you know, your IP is out there. So look. I can guarantee you - guarantee you - your IP is being put into ChatGPT these days because it's just so good, especially if you're one of these companies like - you know, like, you know how Amazon writes out all of their - you know, they don't use PowerPoint. They write everything out in long form for their internal memos and what they want to do next...
Dave Bittner: Yeah.
Caleb Barlow: ...And their strategy. All that's going into ChatGPT because it's just - it's going to save you hours of writing and grammar. So the thing that I think we have to think about and the way we have to educate people is that putting something like this into an AI tool is the equivalent of handing it over to another person. That's the way we have to think about this - is almost like it's a salient being, meaning that, would you give highly confidential materials to another human that wasn't associated with your company? No. You know, should this be in your nondisclosure agreement in the future? Probably. So...
Dave Bittner: Right.
Caleb Barlow: You know, and I can imagine that the industry will eventually respond and say, oh, you know, you're - you work for a big company like Amazon. Let's give you your own variant of one of these tools so that whatever you put in never gets sucked up into the learning process of the tool or only used within your company.
Dave Bittner: Yeah.
Caleb Barlow: So educate your people. Probably start thinking about, you know, contract mechanisms. Recognize spear phishing attempts are going to get very real. And the other thing is executive protection, you know, not just for the board but for their extended family. One of the challenges with - I'm talking about, like, you know, public company executives where you really need to be worried about their security. Again, this is just so easy to craft, something that's going to get a family member's attention. You've got to think about EP in a very different way. And I know a lot of CISOs - that's part of their patch. Yeah.
Dave Bittner: All right. Well, it is a cautionary tale for sure. Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this week's "Research Saturday" and my conversation with Bar Block, threat intelligence researcher at Deep Instinct. We're discussing their work on "ChatGPT and Malware: Making Your Malicious Wishes Come True." That's research Saturday. Check it out.
Dave Bittner: CyberWire Podcast is a production of N2K networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.
