From cryptostealers to CCTV exploits, from Magecart enhancements to coronation phishbait, cybercriminals have been active. (But so have law enforcement agencies.)

Dave Bittner: LOBSHOT is a cryptowallet stealer abusing Google Ads. Coronation phishbait. A known CCTV vulnerability is currently being exploited. T Mobile discloses another, smaller data breach. New Magecart exploits. Preliminary lessons from cyber operations during Russia's war. Rob Boyce from Accenture shares insights from RSA Conference. Our special guest is NSA Director of Cybersecurity Rob Joyce. And Europol announces a major dark web market takedown.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, May 2nd, 2023.

LOBSHOT, a cryptowallet stealer abusing Google Ads.

Dave Bittner: Elastic Security Labs reports a new trend of Google ad based malware that uses an elaborate scheme of fake websites through Google Ads and embedded backdoors in what appears to users as legitimate installers. Elastic Security calls this malware strain LOBSHOT, and describes it as having hidden virtual network computing capability that allows LOBSHOT to remain undetected by the host machine. Researchers attribute this campaign to the Russian cyber group TA505, a well known cybercrime group associated with Dridex, Lockey, and the Nacores campaign. LOBSHOT is used to steal financial data, specifically going after Chrome extensions associated with crypto wallets. It also seems to have the ability to target Edge and Firefox wallets.

Dave Bittner: As Security Week reported, the malware allows attackers to bypass fraud detection engines and provides them with stealthy direct access to the infected machines. Elastic Security explains that it does this by performing a Windows defender anti emulation check, looking for hard coded values within the emulation layer of defender. If they are present, the malware immediately stops running. The malware comes with a built in gooey, which allows attackers to execute specific commands quickly, such as modifying sound settings, starting browsers, and using the infected machines clipboard presumably to obtain or modify copied wallet addresses.

Coronation phishbait.

Dave Bittner: Researchers have seen an increase in phishing sites centered around Saturday's coronation of King Charles III, Computer Weekly reports, Kaspersky researchers have discovered many fake memorabilia sites that harvest credentials and steal money. Not only can the actors behind the foe sites steal information visitors enter, but the websites themselves are also insecure, allowing for outside hackers to harvest the entered information. Kaspersky principal security researcher David Emm advises caution when procuring coronation collectibles, and recommends sticking to familiar reputable brands and official sites.

Known CCTV vulnerability is currently being exploited.

Dave Bittner: FortiGuard Labs is monitoring a spike in the exploitation of digital video recorder authentication bypass vulnerability, CBE 2018, 9995 in TBK Vision Systems. Many of those systems are white badged and sold under other vendors' brands. The researchers observed over 50,000 unique detections in the month of April. The vulnerability arises from an error in the vulnerable application when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this to bypass authentication and obtain administrative access.

Dave Bittner: The vulnerability has been given a 9.8 CVSS score, which marks it as critical. The vulnerability was first discovered in 2018, and no patch has so far been issued. Security Week writes, organizations are advised to review the CC TV cameras, DVRs, and related equipment they're using, and remove any vulnerable models from their environments, or ensure that they are protected by a firewall and not directly accessible from the internet.

T-Mobile discloses small data breach.

Dave Bittner: T Mobile saw their second data breach this year, Ars Technica reports yesterday. The breach apparently started on February 24th and ran through March 30th, meaning that the attackers had access to personal customer data for over a month. This incident followed a January breach of the company's systems that affected 37 million customers.

Dave Bittner: The magnitude of this breach is not anywhere near so far reaching, bleeping computer reports, as the incident affected only 836 customers. But the information contained in the leak was highly extensive and exposes affected individuals to identity theft and phishing attacks. The carrier released a statement in late April, disclosing that no financial information or call records were released in the breach. But an array of other personal identifiable information was exposed, including full name, contact information, account number, and associated phone numbers, account pin, Social Security number, government ID, date of birth, balance due, internal codes that T Mobile uses to service customer accounts, and the number of lines.

New Magecart exploits.

Dave Bittner: Magecart credit card skimmers are devising new custom fraudulent modals that are said to be thoroughly convincing, Malwarebytes writes. A modal, the researchers explain, is a webpage element displayed in front of the current active page. The researchers call the campaigns associated with the skimmer one of the most active Magecart attacks in recent months. A Parisian travel accessories store was found to be compromised. The skimmer, which researchers have previously dubbed Critech [phonetic], was injected into the site's CMS and loaded malicious code that impacted checkout on the site. However, the site does not use a modal, but instead redirects to a third party processor site that allows the user to enter their information, and then redirects back to the initial merchant page. When a user selects the credit card payment option, fraudulent modal is displayed and asked for payment card information. Once it's entered, an error screen will pop up saying the payment was canceled, and will redirect to the merchant's real third party payment processor. Malwarebytes called this a good example of a skimmer that appears trustworthy.

Preliminary lessons from cyber operations during Russia's war.

Dave Bittner: Breaking Defense offers a summary of expert opinion on the early lessons being drawn from the cyber phases of Russia's war against Ukraine. Widespread fear of a cyber 9/11 or a cyber Pearl Harbor, that is a decisive crippling bolt from the blue attack in cyberspace, has proven unfounded. Breaking Defense says the strategic lesson for the U.S., several independent experts said, is that this kind of drawn out cyber conflict is a more likely model for future wars than the sudden death visions of a cyber Pearl Harbor, or cyber 9/11, predicted by U.S. officials for over a decade. While cyber operations have been and are likely to remain an important part of future wars, they're unlikely to be decisive war winners, nor are they likely to produce significant operational level victories. In this respect, we note they resemble their older cousins in electronic warfare, valuable as combat multipliers, but not bringing in overwhelming advantage. It is perhaps worth noting that while the attack on Pearl Harbor and the terrorist actions of 9/11 achieve the operational surprise, those who carried them out wound up eventually losing the war.

Europol announces major dark web souk takedown.

Dave Bittner: And finally, Bravo Europol. The agency has announced a successful international action operation specter against a major dark web contraband market. Their announcement reads, in an operation coordinated by Europol and involving nine countries, law enforcement have seized the illegal dark web marketplace monopoly market, and arrested 288 suspects involved in buying or selling drugs on the dark web. More than 50.8 million euros in cash and virtual currencies, 850 kilograms of drugs, and 117 firearms were seized. The seized drugs include over 258 kilograms of amphetamines, 43 kilograms of cocaine, 43 kilograms of MDMA, and over 10 kilograms of LSD and ecstasy pills. And that, friends, is a lot of stuff that's better off gone.

Dave Bittner: Coming up after the break, a tale of two Robs. We've got Rob Boyce from Accenture with his thoughts on the RSA Conference, and our special guest, NSA Director of Cybersecurity, Rob Joyce. Stick around.

Dave Bittner: And it is my pleasure to welcome back to the show Rob Boyce from Accenture, where he is the global lead for cyber resilience. Rob, it's great to have you back. I want to start off just with your impressions of this year's RSA Conference. As you've been walking around, has there been anything sort of caught your attention?

Rob Boyce: Yeah. First of all, it's nice to be back, and nice to do this in person.

Dave Bittner: Yes, it is, yeah.

Rob Boyce: Yeah, I think there's a few things that really stood out to me. And I'm sure I'm not the first person who's going to say this with you this week. But AI everywhere. I think we're seeing a lot of companies become AI companies overnight by introducing, you know, their integrations or how they're going to use OpenAI or ChatGPT to increase the fidelity of their products base, so I think that's interesting. We're also seeing, you know, in that topic with generative AI I think is also what we, I think I must have, every single person I have talked to this week, this has been a topic of conversation, is that like how fast is it going to get us to a better place. And I think a lot of people are really hoping that it's going to solve some of the skills problems and deficits that we have, get people upskilled faster, being able to use a, you know, a generative AI assistant to be able to ask questions to so you don't need to be a deep cyber expert, maybe you could leverage the assistant to be able to, you know, augment your own knowledge. And then we start thinking about how do we transition cyber from cyber skills and being deeply technical to maybe being better at asking questions. So, I think that will be interesting. That's a lot of conversation around that. Also, space. That's crazy, like we're talking now about how do we secure space, and space being the 17th segment of critical infrastructure I think they're calling it. So, I mean, that's going to be fascinating as that unfolds more and seeing how that is. So like that was a crazy topic that I saw. And the one thing that I always find when I come here, or to Black Hat, is how many technology vendors there are in the security space. And I feel, like this is my personal opinion, is I think this is causing some of the problems that we have in the security space. There's no less than a thousand probably vendors on the floor all solving one small segment of the cyber problem rather than thinking about how do we integrate these, you know, products that maybe are more of a feature as opposed to an actual tool into a larger ecosystem. And I think, you know, it's causing a lot of confusion maybe for organizations, and it also causes them to buy a lot more technology. And so this is what we always see, you know, when we go to clients, it's not unusual to have 150 different security technologies in an environment. And, of course, now with the economy the way it is and some uncertainty, I think there's an opportunity for us to use this time to rationalize those stacks, and how do we get more of the investments we already have as opposed to buying more and more technology. So, I think we might be forced to think that way in the next year or so. But, yeah, those are some of the observations anyway of just walking around.

Dave Bittner: I'm curious, you know, for you as someone who represents an organization that I think it's fair to say is an alpha provider, right, the scale and the breadth of the things that you and your colleagues at Accenture provide, are done at a higher level than many companies who are just smaller than you are, and with different sets of capabilities. As you're walking around looking at the startups, the smaller companies, those scrappy folks who are around the edges, is it interesting for you to kind of get out of your bubble? Because you do do so much in house.

Rob Boyce: Yeah, yeah, yeah, for sure. I really enjoy getting to talk to some of the innovators. And yes, I am saying two almost, two different things of the same, two sides of the same coin, I guess is the phrase. I love seeing the ideas and the innovations that are coming out, and being able to talk to people around the problems they're trying to solve, and how they're thinking differently. You know, and just going back to the generative AI and the upskilling, I think there's a lot of companies looking at how do we upskill individuals in the space, and whether it's through technology or whether it's through training, you know, I think just being able to talk to them and hear the passion that they have around like we really want to make a meaningful difference in this space by, you know, getting people fluent, I guess, or literate in cyber, I think that's super interesting also. So, yeah, I love doing it. I say they could use a little more air conditioning probably.

Dave Bittner: That's fair.

Rob Boyce: It gets hot down there. And there are a lot of people. I do think like last year when we did this, we were talking about is RSA back, right? And I think last year, you know, I was, it was getting back. But this year, I think, I think there's more people than there were in 2020. It's really amazing.

Dave Bittner: I heard, I heard someone today mention that they've seen that the attendees doubled this year over last year. And I believe it.

Rob Boyce: Yeah. And I also find that there's a lot of international people here this year. Like I think, I think RSA has always been historically very focused on North America for the most part. But there are every language you can imagine being spoken on the Expo floor right now, just there's so many international people. It's amazing.

Dave Bittner: Where do you think we stand in terms of headwinds? Obviously we have changing economic times, which has affected our industry as well as other folks. But I'm curious what are the challenges you see in the year ahead?

Rob Boyce: I do think people are being asked to do more with less. So, we can expect I think not like no investment but I think there will be probably consistent investment. Maybe not additional. So, I think CSOs and their security organizations are going to be challenged to do more, keep pace without having more budget to do it, which I honestly think is going to be a good opportunity for them to double down on the investments they have and think about how to get the most out of them. Because I will tell you, we see organizations, when we do incidents, they very often have the right technology to have prevented or reduced the destructive nature of the event. But they don't, you know, they haven't deployed the technology everywhere, or they haven't configured it appropriately, or they haven't operationalized the processes and integrated them into their process, perhaps. So, I do think this will be that opportunity to do that. I think it's actually going to be good for us in some ways to try and not solve the problem with money, but actually do the hard work.

Dave Bittner: Yeah, that's interesting, a little bit of a stress test in a way. Yeah, yeah. All right, well, Rob Boyce, thanks so much for joining us.

Rob Boyce: Absolutely. Thank you, Dave.

Dave Bittner: It is my pleasure to welcome to the show Rob Joyce. He is the Director of Cybersecurity at the National Security Agency. Rob, thank you so much for taking the time for us today.

Rob Joyce: It's great to be here, Dave. Thanks for having me.

Dave Bittner: So, I want to start off by setting the stage a little bit in saying that I grew up sort of in the shadow of the NSA in Howard County, Maryland. And way back then, it was no such agency. Right? And had many friends whose parents worked for the agency, and we'd say what do you do for a living, and they'd just say I work for the government. It is remarkable to me how much that has evolved, that these days a big part of the agency's work, particularly when it comes to cyber, is interaction, is outreach, is cooperation with industry. Can you speak to that a little bit, about how that's part of the mission?

Rob Joyce: Yeah, it's absolutely part of the mission these days. What we've recognized is U.S. industry, they own, they operate, they defend the internet. And all of the threats in that world happen inside their backyards. And so while I have a capability to look into foreign space about the threats and the operations that are happening there, I need a partner to work on the things that are on those infrastructures. And that's the natural place. And you can't, you can't achieve the things we need to do without building that level of trust.

Dave Bittner: Can we talk about some of the mechanisms that are in place? For example, I know you all are providing support to organizations, non governmental organizations who are doing business with the government on the cybersecurity front.

Rob Joyce: Yes. So, we opened about three years ago the Cybersecurity Collaboration Center. That's focused on the defense industrial base. So, all of the big companies you would know and understand from their names on the buildings that do defense contracts. But the defense industrial base is actually 300,000, at least 300,000 companies. And it includes those traditional big companies you think of. But increasingly, the defense department relies on the big cloud providers, the incident response providers, all the hardware vendors that make operating systems, and all of the different technologies. And so by us taking that knowledge of the foreign threat space and applying it to help them collaboratively secure their environment, we protect the defense department's mission. But, in fact, it rolls out into much larger spaces into the rest of the government, into critical infrastructure, even you and I at home get protected when I teach a big company about Russian malware or their trade craft. They don't apply it just to the defense department mission. They apply it to their whole customer base.

Dave Bittner: And what is the mechanism by which that interaction happens? Does it, are we at the point where it's bidirectional, it's flowing from industry to you and back and forth?

Rob Joyce: It absolutely is. So, years ago, we would take the things we knew, and we would pass it to companies, often through an intermediary, another government agency, or another path. And we just threw that one thing over the wall. And it may or may not have been useful. Most of the time, it wasn't. And because there wasn't that bidirectional communication, we had no chance to learn that it was almost what they needed. But if we changed or answered this one question, it would be better. We never got things back. So, we now have joint analysis. We'll pick a Chinese threat. And, you know, the big analysts from industry are pursuing it with their data, and on their networks. And we're bringing that sigint information together. And very rarely is it one substantive piece of information that makes the difference. But it's the ongoing dialogue and the joint analysis that gets us to really huge discoveries.

Dave Bittner: Can we discuss the scalability of that? I mean, when you start a program like that, where there hasn't been one before, with something as large as cybersecurity, how do you approach that?

Rob Joyce: Yeah, so we started with one company. It's 100% voluntary. So, every company that works with us does it of their own volition. There's no, there's no payment, there's just the agreement that we're going to do good things together. We're up over 300 now that collaborate. Some of them, many of them on a daily basis, where we're exchanging and working on hard problems. And what we're finding is those companies are seeing the benefit. That's why they put their resources into this partnership. Because it's protecting their customers, it's protecting their equity. And it's also protecting the nation. So, they're happy to be in that relationship where we're providing value, and they see good outcomes.

Dave Bittner: Certainly here at the RSA Conference, a hot topic is artificial intelligence. We've been sort of half joking that on the way to the show that half the booths would say we're ChatGPT enabled. And the other half would say we're protecting you from the things that are ChatGPT enabled. Right? I'm curious what the agency's perspective is on this. You know, is this something to embrace, to explore, to be wary of? Where are you all there?

Rob Joyce: So, we have to embrace it, whether we like it or not, you know, industry is going there, and the technology has emerged, and it's going to be impactful. We do see it much like you framed it. There's an element of bad guys are going to do innovative things with it. There's an element of we will be able to do much better defense using it. And then there's the aspect of, you know, this is a national treasure right now. These companies have innovated and created things that others are going to look to steal. And so we've got to help them protect it. But across all three of those, the way I would characterize it is I think the watchwords are going to be speed and scale, that using generative AI technologies, you're going to be able to do new things. But mostly new things faster or remove a lot of the, just the wrote work. And so we're going to see the people who learn to use it be better at either exploiting or defending than those who don't.

Dave Bittner: What would you like our listeners to know about the way that NSA approaches our adversaries, you know, the names we hear in the news every day?

Rob Joyce: We have an effort called adversary defeat. When we stood up the cybersecurity directorate, we deliberately picked a vision statement that we were going to prevent and eradicate malicious threats. And there was a lot of debate about that board eradicate, because we don't actually have the authority in NSA to do eradication. But we thought setting the bar at anything less, you really wouldn't have the right attitude in the day to day engagement. So, our hope is that we're able to generate intelligence, build technical insights, and then take those things to partners who can. And, you know, certainly cyber command inside Fort Meade is one of them. And they have the defend forward concept, where they're not going to just leave the adversary to try and try and try until they succeed. We're going to put sand in the gears and try to prevent them from achieving the things they want to do. But it's not just cyber command. It's CISA, it's FBI. But also treasury, state department, and then all of those commercial partners we talked about. They all have, you know, different and unique ways to put pressure on the adversaries, shine a light on them, take away their capabilities. Sometimes, you know, get after them in law enforcement. Or simply harden and do preventative things that will make their jobs harder to achieve their goals.

Dave Bittner: Before I let you go, as we walk around the show floor here, there are lots of folks who are just starting out their careers, looking to figure out, to find their place. And for some of those people, NSA could be their place. What's your, what's your pitch for them? What's the mindset of the people you're looking for?

Rob Joyce: Yeah, so the mindset are folks who want to work on hard problems with wickedly intelligent people in a diverse environment that's going to challenge them every day. So, I came in 34 years ago. I've had careers inside careers. The most rewarding thing is if you see something in the newspaper, somebody at NSA is working on that problem, right, in that national security space, but the really cool ones are the ones that never make the paper because of the things we're doing. And that's just satisfying. It really is very cool.

Dave Bittner: Rob Joyce is Director of Cybersecurity at the National Security Agency. Thanks so much for joining us.

Rob Joyce: Thanks, Dave. I really appreciate it.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can e mail us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity, where privilege that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. This show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.