Some movement in the cyber underworld. Vishing impersonates the US Social Security Administration. More SVB-themed phishing. And compromise without user interaction.
BianLian gang’s pivot. HinataBot is a Go-based threat. The US Social Security Administration is impersonated in attempted vishing attacks. BlackSnake in the RaaS criminal market. More Silicon Valley Bank-themed phishing. Caleb Barlow from Cylete on security implications you need to consider now about Chat GPT. Our guest is Isaac Roth from LeakSignal with advice on securing the microservices application layer. And Russian operators exploit an Outlook vulnerability.
From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, March 17th, 2023.
BianLian gang’s pivot.
Researchers from security firm [redacted] say the ransomware gang BianLian has shifted its primary focus to data theft extortion rather than encryption. As part of this pivot, the gang has been putting more effort into tailoring their ransom notes to specific victims:
“In several instances, BianLian made reference to legal and regulatory issues a victim would face were it to become public that the organization had suffered a breach. The group has also gone so far as to include specific references to the subsections of several laws and statutes. While the applicability of the laws (to the victim and their data) referenced by BianLian would need to be assessed by the courts, at first glance, the laws referenced by the actors did in fact correspond to the jurisdiction where the victim was located.”
HinataBot: a Go-based threat.
Akamai is tracking a new Go-based botnet the company calls “HinataBot,” which is designed to launch DDoS attacks. The malware is still under development, and the researchers believe its creators are attempting to imitate elements of the Mirai botnet:
“There have been numerous public attempts to rewrite Mirai in Go, and HinataBot appears to follow a similar structure to some of these attempts. For example, the way HinataBot sets up communication in its main method and the way it parses commands and begins attacks in its attack methods resemble the structure used in other Go-based Mirai variants.”
US Social Security Administration impersonated in attempted vishing attacks.
Armorblox yesterday released a report detailing a vishing (or “voice phishing”) attack impersonating the US Social Security Administration. Researchers report that the attack begins with a phishing email. The email purports to be from a sender under the name of “Social Security Administration-2521.” The email utilizes a sense of urgency to get the victim’s attention, claiming that the user's Social Security number was suspended due to “erroneous and suspicious activities.” Included is an attached PDF file claiming to be a “letter of suspension“ that appears when opened to be on the letterhead of the SSA. Included at the bottom of the file is a phone number for “contact information” if the user requires help. The hacker’s end goal of the vishing attack is to get the victim to call the fraudulent number and reveal sensitive information.
BlackSnake in the RaaS criminal market.
Netskope has published a report on the BlackSnake ransomware-as-a-service (RaaS) operation, which first surfaced in August 2022. A new version of the ransomware was observed on February 28th, containing a clipper module designed to steal cryptocurrency information. The malware appears to be targeting home users rather than corporations, since it asks for ransom amounts as low as $20. As a result, the researchers suspect “that BlackSnake is perhaps still under development or that they don’t have affiliates at this point.”
More Silicon Valley Bank-themed phishing.
INKY describes a phishing campaign that’s impersonating Silicon Valley Bank (SVB) with phony DocuSign notifications:“Email recipients are told that the ‘KYC Refresh Team’ sent two documents (KYC Form.docx & Change of Contact.docx) that require a signature. ‘KYC’ is a banking term that stands for ‘Know Your Customer’ or ‘Know Your Client.’ It’s a mandatory process banks use to verify an account holder’s identity. Of course, in this case, the phisher is using it to convey a sense of legitimacy to its intended victims.” If the recipient clicks the link, they’ll be taken to a spoofed Microsoft login page designed to steal their credentials.
Russian operators exploit an Outlook vulnerability.
Finally, more researchers have been following Bear’s spoor through vulnerabilities.
APT28, the GRU's Fancy Bear, has made considerable use of an Outlook vulnerability, CVE-2023-23397, against its targets. Cybersecurity Dive reports that attacks using the exploit have been used against organizations in Ukraine, Turkey, Romania, and Poland since last April. Deep Instinct offers a detailed account of how the exploitation has played out in the GRU's cyber operations, and concludes with the following advice:
"While we found evidence of attacks starting in April 2022, there is a possibility that it was exploited even earlier.
"Due to the fact that we used only publicly available data the actual scope of attacked targets could be much higher.
"Microsoft attributed the attacks to a Russian-based threat actor; however, public evidence might suggest another threat actor exploited the vulnerability as well.
"Since the attack does not require user interaction, we urge everyone using the Outlook application to patch their systems as soon as possible.
“We also suggest running the PowerShell script provided by Microsoft to find retroactively malicious emails in the exchange server."
CVE-2023-23397 is unusual because it doesn’t require user interaction to trigger exploitation. As researchers at Huntress who’ve been investigating the vulnerability point out, “Once an infected email arrives in a Microsoft Outlook inbox, sensitive credential hashes can be obtained.”
We point out, in full disclosure, that Microsoft is a CyberWire partner, and that Redmond offered both a patch and other remediation advice for Outlook users in this week’s Patch Tuesday. Microsoft Threat Intelligence had also discovered what it characterizes as “limited, targeted abuse,” note–targeted abuse “of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.” Microsoft strongly recommends that users apply the update. The vulnerability only affects products that use NTLM authentication. Microsoft explains, “Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages.”
And that's the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tré Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening.
BianLian Ransomware Gang Continues to Evolve ([redacted])
Uncovering HinataBot: A Deep Dive into a Go-Based Threat (Akamai)
Social InSecurity: Armorblox Stops Attack Impersonating Social Security Administration (Armorblox)
Netskope Threat Coverage: BlackSnake Ransomware (Netskope)
Fresh Phish: Silicon Valley Bank Phishing Scams in High Gear (INKY)
Outlook zero day linked to critical infrastructure attacks (Cybersecurity Dive)
CVE-2023-23397: Exploitations in the Wild – What You Need to Know (Deep Instinct)
Everything We Know About CVE-2023-23397 (Huntress)
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability (Microsoft Security Response Center)