Firmware comes in through the back door. Leveraging Adobe for credential harvesting. C2C market notes. Hybrid war updates.

Dave Bittner: A backdoor-like issue has been found in Gigabyte firmware. A credential harvesting campaign impersonates Adobe. The Dark Pink gang is active in Southeast Asia. Mitiga discovers a significant forensic discrepancy in Google Drive. "Spyboy" is for sale in the C2C market. A look at Cuba ransomware. Ukrainian hacktivists target the Skolkovo Foundation. The FSB says NSA breached phones in Russian. Carole Theriault examines Utah's social media bills aimed at kids online. Our guest is Tucker Callaway of Mezmo to describe the rise of telemetry pipeline. And spoofing positions and evading sanctions. I'm Dave Bittner with your CyberWire Intel Briefing for Thursday, June 1, 2023.

Backdoor-like issue found in Gigabyte firmware.

 

Dave Bittner: Researchers at Eclypsium have discovered a firmware backdoor in motherboards sold by Taiwanese hardware manufacturer Gigabyte. The feature appears to be intended to automate firmware updates but Eclypsium says it could be abused by threat actors via person-in-the-middle attacks. The researchers compared the vulnerability to other firmware backdoors such as LoJacks, MosaicRegressor, MoonBounce, and VectorEDK. The researchers explained that the dropped executable and the normally downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows. But this does little to offset malicious use, especially if exploited using living off the land techniques. Eclypsium writes that as a result, the threat actors can use this to persistently infect vulnerable systems.

Credential harvesting campaign impersonates Multimedia Software and Adobe.

 

Dave Bittner: Armorblox today reported detecting and stomping an email attack impersonating Adobe, that evaded email security measures. The threat actor used social engineering to target law firms by sending emails from a compromised third-party account. Legal documents were the phish bait. The phish hooks were malicious hyperlinks leading to pages mimicking Adobe Acrobat. The landing webpage of those hyperlinks led to a faux Adobe file sharing page with another link leading to a credential harvesting page requesting the victim's Microsoft login. The threat actors both leveraged the legitimacy of Adobe to reel in unsuspecting victims, but they were also able to bypass certain Microsoft security measures. Since the manipulation and use of Adobe's legitimate domain bypassed email security checks.

Dark Pink APT active in SE Asia.

 

Dave Bittner: Singapore based cyber security firm, Group-IB, is observing the activities of a threat actor they're calling Dark Pink. At least 13 organizations across nine countries have been victimized by this advanced persistent threat. CyberScoop reports that recent victims have been located in Brunei, Highland, and Belgium, atop previous attacks targeting the Asia Pacific region and Europe. Spear phishing emails are Dark Pink's primary modus operandi, whose custom data exfiltration toolkit has been updated to allow for them to lie low within infected systems and devices. Their recent targets have spanned the government, nonprofit, military, and education sectors, insurance journal reports. Attribution of Dark Pink remains unclear, it walks and quacks like an intelligence service, but whose service is still unknown.

Mitiga discovers “significant forensic discrepancy” in Google Drive.

 

Dave Bittner: Mitiga released a comprehensive report regarding a significant forensic deficiency in Google Workspace. This deficiency allows threat actors to exfiltrate data using Google Drive with no trace. The problem lies in the fact that Google Drive logs are only active in its premium service, Google Workspace Enterprise Plus. If an organization is not paying for the service or an employee is not using a paid license, the logs remain inactive. This allows threat actors to move data without notice. Mitiga writes that all users can access the workspace and complete actions with the files inside their private company drive. They simply do so without generating any logs, making organizations blind to potential data manipulation and exfiltration attacks. Mitiga has alerted Google to this discrepancy but as of the publishing of their report, Google had not yet responded.

"Spyboy" for sale in the C2C souk.

 

Dave Bittner: CrowdStrike warns that someone going by the handle "Spyboy" is selling a new endpoint defense evasion tool for Windows on the Russian language forum, Ramp. The tool, called "Terminator" is advertised as being able to bypass 23 antivirus and EDR solutions. CrowdStrike notes that the software requires administrative privileges and user account controls acceptance to properly function. Upon execution, the binary will write a legitimate signed driver file known as "Zemana Anti Malware" to the system.

A look at Cuba ransomware.

 

Dave Bittner: Avertium has published an extensive look at Cuba ransomware. The Russian operation with no connection to its island nation namesake sees a timeline of the operator's activities, notes on indicators of compromise, and advice on defense and remediation in the study. The timeline is interesting in the way it shows how a nominally criminal organization can be turned to serve the purposes of the Russian State.

Ukrainian hacktivists count coup against the Skolkovo Foundation.

 

Dave Bittner: Ukrainian hacktavists, posting under the Linux hacker inspired name, pseudo-RMRF, chirped at Russia's Skolkovo Foundation over telegram, claiming to have poned the tech development agency. The record reports that Skolkovo acknowledged sustaining an attack, but said that it's systems were all back up and running. The hacktavist claims are probably overblown as hacktavists claims normally are, but the Skolkovo Foundation has at least experienced some degree of embarrassment. Headquartered on the outskirts of Moscow, the Skolkovo Foundation was founded by the former Russian president and current deputy chairman of the Security Council, Dmitry Medvedev. He charged it with leaving the development of a Russian tech industry that would rival, if not supplant Silicon Valley.

FSB says NSA breached iPhones in Russia.

 

Dave Bittner: Reuters reports that Russia's FSB says that the U.S. National Security Agency has succeeded in compromising iPhones used in Russia. The phones belonged mostly to Russian citizens but the FSB says that iPhones belonging to some foreign diplomats were also affected. The official moral, Russia would have public opinion draw from the announcement is that NSA and Apple are conniving with one another. As the Foreign Ministry put it, "the hidden data collection was carried out through software vulnerabilities in U.S. made mobile phones." The U.S. Intelligence Services have been using IT corporations for decades in order to collect large scale data of internet users without their knowledge. So, the so-called lesson of the story Russia's telling is that the Anglo-Saxons aren't to be trusted.

Position spoofing and sanctions evasion.

 

Dave Bittner: And finally, tankers carrying Russian oil are having their movements concealed by automatic identification system spoofing. The purpose of the deception appears to be evasion of international sanctions against Russia, the New York Times reports. Why would the tankers spoof their locations? If tracking data revealed the ships' movements from Russian to customers' ports, that would be evidence of a prohibited breach of sanctions sufficient to void the vessels' insurance coverage. And no shipper wants that. It's like your teenage driver jacking up your premium with a bunch of speeding tickets. Or so I've heard. Coming up after the break; Harold Terrio examines Utah's social media bills aimed at kids online. Our guest is Tucker Callaway of Mezmo, to discuss the rise of telemetry pipelines. Stay with us. We often talk about the challenges in dealing with the metaphorical fire hose of data being collected and sent to security teams. How do you sort through it, route it, tag it, make sure the right stuff is being seen by the right people? Why, automation, of course. And one flavor of automation being embraced is telemetry pipelines. To learn more about telemetry pipelines, I spoke with Tucker Callaway, CEO at Mezmo.

Tucker Callaway: I think the rise in telemetry pipelines really stems from just the explosion of data, that's probably the first factor, and that's driven of course by datatization, cloud adoption, micro services and all that. The second driving factor I think too is this desire for customers to take more ownership and more products than data where that data gets routed to or gets stored, how they handle it and manage to get value out of it over time.

Dave Bittner: Can you give us an idea of what exactly the sort of tension is here? I mean my understanding is that you want to gather data but if you gather data, it's expensive to hold onto that data.

Tucker Callaway: Yeah, I was going to say that the-- it's more than just cost, but the main driver for it is really just cost, right? There is this desire and a need, frankly, to store data, especially for security purposes, like the timeframe that we, you know, typically detect threats and things like that is 6, 9, 12 months, and so there's this requirement imperative for us out there to store the data for these extended periods of time. But if you take that storage window combined with the volume of explosion, there is, there's a paradigm shift that has to happen and the old ways of just storing data in a sealed data storeroom and a single tool, they simply don't scale to the modern, to the modern con architecture.

Dave Bittner: So how are people coming at this? So what sort of options have they had available to them?

Tucker Callaway: I think there's a couple different ways to approach the different options. Like I go back to the need to take control of your data and when you take control of your data, you get to start to make decisions about that data and how it's leveraging over time. So you can do things like put that data in, well first you can manage, massage, transform, or route that data in a way that makes it most advantageous for you. So the challenge with storing all this data is a lot of it isn't valuable until it's extremely valuable. Until it's absolutely required to go troubleshoot an issue. But as a result, we don't need to store that in I'd say an expensive vendor data store. A lot of the data can be stored in more affordable storage facilities like, uh like S3, or you know, just more block storage type capabilities. And then rehydrate your reviews at the time when it's actually needed. And the things you need to do, do more kind of analysis and reporting on the high value data can be sent directly to those tools that people use for both observability and security purposes.

Dave Bittner: How should people come at that? I mean if the reality is that you don't always know when you're tucking away this data, whether it may ever be valuable, what's a strategy to deal with that?

Tucker Callaway: I think it varies, you know, from company to company, but the broad strategy has to be, own the data. And by own the data, I mean like if you get some of this data to a vendor it just sits in their data storage and um, kind of beholden to their, uh abilities, their ability to choose when this data gets selected gives you an opportunity to decide how do you want to archive that data? How do you want to manage that data? How do you want to control the cost of the data? There's also a number of steps you take along the way, like the first thing is you ensure that you don't have duplicate data. And then you ensure that you don't have data that doesn't, that will not have any value over time. And then a third step might be then you can compress the data to convert the raw data into more summarized metrics and things like that. And so there's a series of steps that people can take to go manage it more effectively so you both have the insights and the coverage that you need in your environment, but you also have the kind of whole fidelity and raw log capabilities that you need when it comes to troubleshooting and you want to get to root cause of what actually happened 9 months ago.

Dave Bittner: Do you have a certain amount of sympathy or empathy for folks who kind of come at this with a packrat mentality? You know, let's just save everything.

Tucker Callaway: I mean I do, yeah, like you know, one of the, one of my big data points is we've been, we've been in the log management space for a long time and we've been working with customers for over 6 years who have this requirement to store this data and they're, forever they've been stuck, you know, and I think that's why telemetry pipelines have such a big rise because they're putting that decision making power, they're putting the control back into the customer's hands or into the enterprise's hands. So like I absolutely have empathy for them and in fact, I've worked side by side with them over the years, trying to solve this problem and what we realize that like as the market has as well, that the prevailing trend and extremely rising trend is to take control of the telemetry pipeline as a very strategic control point to make that happen.

Dave Bittner: How does this fit into regulatory frameworks? You know, for people who are required to store data, how does this slot into those requirements?

Tucker Callaway: I think, I think it's really hand in hand, I mean that's one of the reasons I gave the answer I did earlier that it depends on each enterprise because, of course, people with certain, or enterprises with certain retention requirements are going to have to match those, but what you don't want to do is have them match those retention requirements with expensive data storage, or you don't want to, you don't want to be storing things that aren't required. And so those regulatory compliance trends absolutely, goes hand in hand, in a way, the regulatory compliance forces a certain amount of discipline and that discipline in actually being carried out less from a regulatory perspective but more from a cost perspective than apply across enterprises.

Dave Bittner: What are your recommendations for people who are starting this journey? Do you have any words of wisdom as they head down this path?

Tucker Callaway: Yeah, I think, I think, you know, I've said it a couple times, but I really think it's like don't-- take control of your data, like don't look at that as just information, think about it as an asset of your enterprise. And when you think about your data as one of your core assets, you think about it differently, like we used to always talk about how every business is a software business, I think in many ways, every business is depending on data business these days, right? If we have, we work with people who click data off chairs for example, and there's a chair telemetry data, it's actually pretty strategic for them in terms of how they make business decisions. So I think you have to look at your data as a product or as a core asset of your company and not just as a necessary evil, and when you start to treat it that way, you look at it, you look at it through a very different lens and you care for it and you treat it differently. You make sure that what you have is obtainable. We think a lot about what we call the "cost curve problem." And that's the relationship between value and cost of data as becoming out of whack over time. When you take ownership of it, you're essentially saying, "I'm going to go manage that cost of my enterprise."

Dave Bittner: That's Tucker Callaway from Mezmo.

Dave Bittner: Our UK correspondent, Carole Theriault, has been looking at Utah's social media bills that are aimed at kids online. She files this report.

Carole Theriault: So this past year we have been seeing some U.S. states attempt to crack down on social media by passing bills that, if enforced, will radically change how social media companies can operate, who they can target, and how they collect data. Let's start with Utah's governor, Spencer Cox. He has a bee in his bonnet about social media. He Tweeted more than once that protecting young Utahns from the harms of social media is one of his top priorities. And since January this year he's been lamenting the impacts of social media on the young folks of his state. So at the start of the year he held a press conference where he made many statements disparaging social media, things like "we know that social media is causing harm, and we know that social media can lead to cyber bullying." He said our mental health is taking a beating and that the social media platforms know this but are doing nothing. Governor Cox also reportedly said that the situation requires action, and in late March, a sweeping social media bill was passed in Utah by Governor Cox, who is very proud of this accomplishment. He reportedly said "these are the first of their kind bills in the United States, that's huge." And he's right. These two laws are collectively known as Social Media Regulation Act, and they're to take effect on March 1, 2024. One of the bills requires social media companies to verify the age of any Utah resident with an account on their services. Why? Well, they want to identify users that are under 18 and ensure they have parental consent in order to use social media. Another point is to access social media between the hours of 10:30 pm and 6:30 am, a young Utah user will need their guardian or parent's consent. Plus, parents and guardian can see everything a young user posts and messages, effectively enabling parental surveillance of their online behavior. So currently under COPPA, that's the Federal Children's Privacy Law, companies are required to ask a user what age they are and they are allowed to trust that that user is being truthful. It's not yet clear how the social media networks are actually going to enforce this; will they have to collect driver's licenses or passports from all users from Utah in order to verify ages? We shall see. But in the interim, this is obviously quite controversial. You have privacy advocates saying that this type of law means that people cannot be anonymous online, and that is a right that they want to protect. You have kids who don't want these restrictions at all. And you have parents that are on both sides of the fence. And note Utah is not alone, the Arkansas legislator has introduced a similar bill that would require social network platforms to verify users' age and obtain explicit parental consent for people under 18. There is a bill introduced in Texas which is even more stringent; it would ban social media accounts for minors, period. So things are changing out there and it's going to be really interesting to see how these bills in Utah, which have been passed, will actually look like when it comes to enforcement time. This was Carole Theriault for the CyberWire.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cyber security. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment; your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin, and senior producer, Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by Rachel Galvin. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.