The CyberWire Daily Podcast 3.27.23
Ep 1788 | 3.27.23

Evolution of criminal scams (especially BEC). Law enforcement honeypots. ChatGPT data leak. Hybrid war updates.


Dave Bittner: IcedID is evolving away from its banking malware roots. An Emotet phishing campaign spoofs IRS W9s. The FBI warns of BEC scams. A fake booter service as law enforcement honeypots. Phishing in China's nuclear energy sector. Reports of an OpenAI and ChatGPT data leak. Does Iran receive Russian support in cyberattacks against Albania? My conversation with Linda Gray Martin and Britta Glade from RSAC with a preview of this year's conference. Our own Rick Howard takes a field trip to the National Cryptologic Museum. And deanonymizing Telegram.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 27, 2023. 

IcedID is evolving away from its banking malware roots.

Dave Bittner: IcedID seems to be evolving away from its banking malware roots. Proofpoint this morning released a report describing three strains of the IcedID banking malware in use by several distinct threat actors. There's the Standard IcedID variant. This is the variant most commonly observed in the threat landscape and used by a variety of threat actors. There's the Lite IcedID variant. This is a new variant observed as a follow-on payload in a November Emotet infection that does not exfiltrate host data in the loader check-in and a bot with minimal functionality. Then there is the Forked IcedID variant. This is a new variant observed by Proofpoint researchers in February 2023, used by a small number of threat actors, which also delivers the bot with minimal functionality. 

Dave Bittner: The classic Standard IcedID variant is the one most clearly adapted to traditional banking attacks. The Lite and Forked variants have seen removal of the components typically found in banking malware, which suggests to the researchers that IcedID is evolving away from its traditional uses and is becoming a loader for follow-on infections. These sorts of follow-on attacks are likely to include ransomware. 

Emotet phishing campaign spoofs IRS W9s.

Dave Bittner: Bleeping Computer yesterday morning reported that a new Emotet phishing campaign has been observed targeting U.S. victims by sending them bogus W9 tax forms. Researchers at Malwarebytes and Palo Alto Networks Unit 42 have observed Emotet malware targeting U.S. taxpayers with emails containing the fake W9 tax forms as attachments with the phishing email claiming to be from an inspector at the Internal Revenue Service. Brad Duncan of Unit 42 observed that this campaign used Microsoft OneNote documents with embedded VBScript files containing and installing Emotet. Duncan stated, when launching the embedded VBScript file, Microsoft OneNote will warn the user that the file may be malicious. Unfortunately, history has shown us that many users ignore these warnings and simply allow the files to run. Emotet will then be installed and run on the device, awaiting further payloads and engaging in credential harvesting. 

FBI warns of BEC scams.

Dave Bittner: The FBI has issued an alert warning that criminals are launching business email compromise attacks to acquire physical goods in bulk. The targeted goods include construction materials, agricultural supplies, computer technology hardware and solar energy products. 

Dave Bittner: The bureau states, to further delay the discovery of the fraud, criminal actors apply and are often granted credit repayment terms known as Net-30 and Net-60 terms, providing fake credit references and fraudulent W9 forms to vendors. The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment. 

Fake booter service as a law enforcement honeypot.

Dave Bittner: The Record Friday reported that the United Kingdom's National Crime Agency disclosed secretly running fake DDoS-for-hire sites to collect data from those involved in cybercrime. Those who registered for the fake sites would not be given access to attack tools. Instead, their data would be taken by investigators. PCMag reports that the sites are designed in a way to collect any user data, which would then be relayed to appropriate law enforcement. That includes international law enforcement authorities if the sites were accessed from outside the U.K. The agency reports the creation of several websites. The NCA says that the fake sites have been accessed by several thousand people, according to Bleeping Computer. One of the sites was replaced Friday with a splash page noting that the site was under law enforcement control. Senior NCA officer Alan Merrett stated, Traditional site takedowns and arrests are key components of law enforcement's response to this threat. However, we have extended our operational capability with this activity at the same time as undermining trust in the criminal market. 

Phishing in China's nuclear energy sector.

Dave Bittner: Intezer says the Bitter APT is conducting cyberespionage against nuclear entities in China. Bitter is a South Asian cyberespionage actor known to target Pakistan, China, Bangladesh and Saudi Arabia. In its latest campaign, Bitter sent spearphishing emails posing as the embassy of Kyrgyzstan to target individuals working in China's nuclear energy industry. The email subject and body used terms and themes that would be familiar with the recipients in the governmental and energy sectors. The emails contained Microsoft Compiled HTML Help or Excel attachments designed to deliver malware. 

OpenAI and a ChatGPT data leak.

Dave Bittner: OpenAI last week took ChatGPT offline to patch a bug that allowed users to see the titles of other people's chat conversations, Engadget reports. The company also found that some personal and payment information of ChatGPT Plus users was exposed. According to Engadget, OpenAI states, Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user's first and last name, email address, payment address and last four digits of a credit card number and credit card expiration date. Full credit card numbers were not exposed at any time. 

Report: Iran receives Russian support in cyberattacks against Albania?

Dave Bittner: Last September 7, 2022, Albanian Prime Minister Edi Rama ordered the expulsion of Iranian diplomats in retaliation for an extensive cybersecurity offensive Tehran had been running against Albanian targets. Foreign Policy reminds its readers that those operations were, for their part, Iranian retaliation for its sheltering of thousands of members of the MEK, a once-violent cultlike Iranian opposition group residing in a fortified camp in Manez, Albania, after being evacuated from Iraq in 2016. There have been signs since then of Russian support for Iran's cyber campaign against Albania. While evidence of direct involvement of Russia's security and intelligence units is circumstantial, ambiguous and unproven, Russian privateering criminal organizations like LockBit have recently been active against Albanian targets. 

De-anonymizing Telegram.

Dave Bittner: And finally, if sources in Moscow have it right, Telegram is less anonymous than many have believed. Rostec, a Russian state-owned defense conglomerate, is reported to have developed a way of de-anonymizing telegram channels, BleepingComputer reports. The capability is expected to be delivered to the FSB and other security organs this year. In the account by the dissident Russian outlet Bell, the effort amounts to a heavy-handed campaign designed to align Telegram feeds with the government line. The tool Rostec has built so far, Hunter, is said to use over 700 data points to make associations and correlations that can lead to unmasking the otherwise anonymous Telegram users. Hunter casts a wide net if it indeed operates as advertised. 

Dave Bittner: Such is the public account of the capability by Rostec and the Russian government, who compare Hunter to Palantir, but the story seems unlikely to at least some observers. The opposition activist group RosKomSvoboda writes, But for identifying channel owners, one cannot with certainty assume that the scheme could work without mixing in either some kind of zero-day vulnerability in the Telegram API or without the cooperation of someone with administrative access to the messenger servers. That is, there's either a vulnerability in Telegram's software or a compromised insider with considerable access. 

Dave Bittner: Coming up after the break, my conversation with Linda Gray Martin and Britta Glade from RSAC with a preview of this year's conference. Our own Rick Howard takes a field trip to the National Cryptologic Museum. Stay with us. 

Dave Bittner: The 2023 RSA Conference is just about a month away. And for those attending in San Francisco, it's an opportunity to connect with about 45,000 of your closest friends and colleagues for an intense few days of all things infosec. There are keynotes, talks, presentations, a huge show floor, parties and a chance to catch up with folks you may not get to see the rest of the year. The CyberWire is an official media partner of RSA Conference. And for a preview of this year's show, I reached out to Linda Gray Martin, senior vice president of RSA Conference, and Britta Glade, vice president of content and curation at RSA Conference. Linda Gray Martin starts us off. 

Linda Gray Martin: Our event last June, RSAC 2022, was our first in-person event for two years, and I think we quickly realized the joy of our community in being able to meet in person again. And so the theme for this year couldn't really be more appropriate - stronger together. And we use a famous quote in the description of our theme, which is from Helen Keller and says, alone, we can do so little; together, we can do so much. And I think it kind of says it all. We have such a passionate, committed community, and protecting the world from cyber threats is best accomplished by working together and by sharing our successes and failures. So that's really the kind of backstory of how we got to the theme this year, and we try and weave it throughout the event. And, you know, you'll see it in sessions as well. Our speakers kind of tend to embrace it. So you'll definitely see that theme weaving throughout the event. 

Dave Bittner: For folks who are coming out this year, what can they expect? Are there - anything new or a comfortable setting for those who have experienced it before? 

Linda Gray Martin: So looking at our keynote program, which is refreshed every year, our goal with our keynote program is always to provide our attendees with insights from kind of thought-provoking experts - so not necessarily people who are from the cybersecurity industry but generally who have some relevance within the industry. We welcome creative thinkers and industry visionaries who are going to spark conversation and just make us think a little bit differently. 

Linda Gray Martin: So just some of the speakers we are welcoming this year - we have Lisa Monaco, the U.S. Deputy Attorney General. We have Dr. Michio Kaku, who has spoken at RSA conference before. He's a theoretical physicist and, I know, wowed the attendees when he spoke for us a few years ago. We also have George Kurtz, co-founder and CEO of CrowdStrike - so somebody within the industry. And then I think a crowd favorite is surely going to be Eric Idle, the co-creator of "Monty Python," a musician and writer. And he is going to be embracing our theme and talking about the strength that he found with his "Monty Python" team when they were working on the kind of movie series. 

Dave Bittner: Britta, let me pivot to you, then. I mean, what are your insights? What are you looking forward to this year? 

Britta Glade: You bet. You know, we are the power of the community. So it's finding the ways to gather people in small ways, in big ways, in medium ways because that's when the sparks fly, when the magic happens - when you have conversations and gain perspectives that you may not have had before. So we've got, you know - gosh. At the end of the day, it'll be over 500 sessions delivered in a wide variety of formats. 

Britta Glade: Birds of a Feather - last year we introduced those happening throughout the entire event, and that really resonated for people. So that'll happen this year as well. Starting at 8:30 in the morning Monday, you'll have the opportunity to be in those small Birds of a Feather all the way through Thursday. Those are paralleling when the track sessions are going on, too. So, you know, I would counsel people strongly, you know, spend some time looking at the agenda beforehand. Kind of mark out your path of my must-haves, my it-would-be-nice-if and here's my backup. As you approach the content, as you approach the expo floor, as you approach a variety of great social activities throughout the week, you'll find all kinds of things that feel familiar and some new opportunities as well. 

Dave Bittner: Yeah, there really is so much to see. And it is the kind of conference - the scale of it, I think, can be a little overwhelming to first-timers. Do you have any advice or words of wisdom for folks who may be coming out there for the first time? 

Linda Gray Martin: Yeah. And thank you for bringing this up, actually, because it's perfect timing in that this year we all are really placing a focus on people who have never been before. We understand that there's a lot going on. And it's big, and it's overwhelming, particularly if you're there on your own. So this year, on the Sunday night before the event kicks off on the Monday, we are actually having a get-together for first-timers but also for some of our Loyalty Plus attendees - so for people who have attended more than five conferences. We thought that there would be something really special about bringing the two groups together to really learn from each other. And we wanted to do it on the Sunday night just to give people the chance to make connections before going into the week, so particularly if you're there on your own, like I said, that you're meeting people from the get-go. So hopefully that will be a success for that group. 

Linda Gray Martin: And we also do a webcast ahead of time where we run through some tips and techniques from our team. You know, many of our team have been on the team for a while, and we want to share the wisdom that we have and impart the knowledge that we have and, you know, create a friendly, welcoming environment for everybody. So for anybody that's attending that this is their first time attending, we'd love you to come to that reception and give you a chance to get to know some peers and colleagues who'll hopefully remain connections of yours for years to come. 

Dave Bittner: I'd like to wrap up with you both and talk a little bit about, again, this theme of Stronger Together, where I think we're seeing some volatility in the industry that maybe we haven't experienced before. We're seeing layoffs. And I think there's an opportunity here for folks who may be job hunting to go out and, you know, pound the pavement there at the show and make some new connections. 

Linda Gray Martin: I think that's a great point. And, you know, the one thing we always say about RSA Conference is it's that - the convening authority that one time a year where the whole community comes together, you know, for as much as the people that can be there can be. And, Britta, I'm going to steal one of your phrases once again, because I really love the way you coined this phrase, which is honor the community that is yours. And I think it's a really, very relevant thing in the scenario that you outlined. It's like there are so many people that come to RSA Conference that can help you, that you can help, you know, a whole array of different opinions and people with different backgrounds and content that's going to help you kind of enrich your perspective of important topics. So, you know, please come and honor that community that is yours for the taking. 

Britta Glade: Yeah. And that's why we've created all these opportunities. Every nook and cranny of the entire city will be full of people, you know, deep in conversation. And one thing I have always appreciated and loved about our community is really the support they have for one another. So absolutely lean in, become stronger together, you know, share thoughts, share needs, because I am so inspired every single day by the camaraderie that was here, the mentorship that is here, and really the dedication to helping lift us all together. 

Dave Bittner: Our thanks to Linda Gray Martin and Britta Glade from RSA Conference for joining us. The conference runs from April 24 through the 27. We hope to see you there. 

Dave Bittner: Just up the road from CyberWire intergalactic headquarters is NSA headquarters. And on site there is the recently renovated National Cryptologic Museum. When they reached out with an offer of a behind-the-scenes tour, my CyberWire colleague Rick Howard couldn't resist. 

Rick Howard: Hey, everybody. Rick here. Have I got a special treat for you. A couple of weeks ago, I got invited to visit the U.S. National Cryptologic Museum just outside the National Security Agency's headquarters in Maryland and meet the director, Dr. Vince Houghton. So after the obligatory Denny's breakfast with sound engineer Tre Hester and producer Liz Irvin, the three of us went up to the museum to get a tour and have a discussion with Dr. Houghton about the exciting new exhibits that he and his team have installed while the rest of us were in COVID lockdown. Enjoy. 

Vince Houghton: My name is Vince Houghton. I'm the director of the National Cryptologic Museum. I've been here since October of 2020. 

Rick Howard: So let's talk about the COVID years - right? - because you had an opportunity to change things. What was all that about? 

Vince Houghton: Well, unlike everyone else, we had to work during COVID. I mean, everyone worked during COVID. We had to come in during COVID, and we took advantage of it. I think that one of the things museums never get a chance to do is take a pause and take a break. So we took the opportunity to do that. I mean, it was a combination of COVID with new leadership, with new ideas about the direction this museum was going. And so we did everything. If you haven't been here and you've been to the pre-COVID museum, you'll be amazed at how different it is. 

Rick Howard: We spared no expense. 

Vince Houghton: Well, no expenses, though, you know, we made a lot of trips to Home Depot. I'm very good at demo. Other people can build stuff. I can break stuff down pretty well. And we did a lot of that. We also had the opportunity to do a full inventory for the very first time of all of our assets. We have a warehouse. NSA runs a warehouse down the road a bit that had thousands of our artifacts in it. And we say this all the time, but it's true in this case. It looks like the end of "Raiders of the Lost Ark." It's a government warehouse, floor-to-ceiling crates. Some of them hadn't been opened in 50 years. Some of them had been just sealed up right after World War II or after Korea, after NSA was formed in 1952, and... 

Rick Howard: Never really looked at. 

Vince Houghton: ...Never looked at again. 

Rick Howard: Really? 

Vince Houghton: And, you know, for us, that was really neat. I mean, as a historian, I was nerding out a little bit. In many cases, though, it was frustrating because people put stuff in there without the intent of it being seen in a museum later on. So the information they gave us was, like, German cipher machine, World War II, and that was it. And unless it's an Enigma or something similar, we had to do a lot of research to figure out what a lot of this stuff was. Fortunately, we had the time to do that too, so we're able to - kind of a team effort - figure out what a lot of this stuff was that no one had ever really looked at before. 

Rick Howard: What is the theme that we're going to see here currently? Is there a thread that kind of walks everything through or...? 

Vince Houghton: It's not a chronological thread, so there's - we decided to design this to where you didn't have to go in order like a linear path through the museum. I think the big theme is what I call the holy trinity of artifacts, and that is artifacts that are the first of something - so serial No. 0 or the prototype - artifacts that are the only one of something - so maybe they made a thousand of them, and there's only one left, and we've got it - or artifacts that were used by an individual, very specific person or in a specific historical event. My goal is to get to 100% of artifacts on display fall within one or more of those three categories. Right now we're at about 80%. So the threat is you're seeing in every direction you look things you can only see here. We're in Washington, D.C. area. We're competing for eyes, right? We're competing with the Smithsonians, with the Spy Museum. So how do we draw people here? We draw people here with the assets that we have that no one else does. 

Rick Howard: So do you have a favorite of each of those categories? I know it's hard to say. These are my babies, but.. 

Vince Houghton: My baby is one of the things that we brought in - I alluded to this already - are things that until we open, most of the public didn't know NSA actually did. And that's nuclear command and control. When I got here after a little while of kind of figuring out what our assets were - we got a - I got a phone call from what we call NC2, nuclear command and control. And they said, hey, look. All of our stuff is now obsolete. So a whole generation of equipment that we used is no longer secret, or it's going to be declassified very soon. Would you want it for the museum? And I'm like, yeah, of course. I'm like, what are we talking about here? Well, we're talking about the DEC Alpha. And, well, the DEC Alpha made the nuclear codes. So I'm like, what do you mean the nuclear codes? Do you mean the the nuclear codes? And like, oh, yeah, the the nuclear codes. So now we have the servers in the museum that created the nuclear codes for the president from the 1980s all the way up through just a couple years ago. 

Rick Howard: That's awesome. 

Vince Houghton: As cool as it gets. And then historically, we have some, you know, game-changing artifacts, whether it's the U.S. Navy cryptanalytic bomb, which is a big, 5-ton machine that is the only remaining version of about 100+ machines that we made to break the German Navy U-boat four-rotor Enigma that Winston Churchill said shortened World War II by two years. The other hundred and so out of them were melted down - or 5 tons of steel. Those are things that kind of stand out as, like, uber nerdy for me and really make this museum worth the trip because there's just nowhere else on Earth you can see this stuff. 

Dave Bittner: You can hear Rick Howard's complete tour of the National Cryptologic Museum as part of CyberWire Pro. And if you find yourself in the Fort Meade, Md., area, be sure to stop by the museum for a visit. It is open to the public and well worth your time. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.