Hackers like to move it, move it. Skimmers observed targeting Americas and Europe. Hybrid war activity.

Dave Bittner: MOVEit Transfer software sees exploitation. A website skimmer has been employed against targets in the Americas and Europe. A look into XeGroup's recent criminal activity. Apple denies the FSB's allegations of collusion with NSA. Kaspersky investigates compromised devices. Johannes Ullrich from SANS describes phony YouTube live streams. Our guest is Sherry Huang from the William and Flora Hewlett Foundation to discuss their grants funding cyber policy studies. And the U.S. Department of Defense provides Starlink services to Ukraine.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel Briefing for Friday, June 2nd, 2023.

The MOVEit Transfer vulnerability.

Dave Bittner: Hackers like to move it, move it, as the song says, and they've been observed exploiting a vulnerability in Progress Software's MOVEit Transfer managed file transfer software, the company disclosed Wednesday. Researchers at Rapid7 say they've observed exploitation of the vulnerability before it was disclosed, and these attacks have increased since its disclosure. The researchers note, our teams have so far observed the same web shell name in multiple customer environments, which may indicate automated exploitation. Bleeping Computer reports that attackers are exploiting the vulnerability to perform mass downloading of data from organizations. Reuters quotes Mandiant's Chief Technology Officer as stating that mass exploitation and broad data theft has occurred over the past few days. Rapid7 adds that the MOVEit Transfer advisory has contradictory wording on patch availability, but that fixed versions of the software are available as of yesterday and should be applied on an emergency basis.

Magecart-esque website skimmer employed against targets in the Americas and Europe.

Dave Bittner: Researchers at Akamai describe a Magecart-style web skimmer campaign that steals credit card information and personally identifiable information by exploiting legitimate websites. So far, the researchers have identified victims in North America, Central America, and Europe. The new campaign represents an evolution over its Magecart predecessor. While Magecart typically exploited Magento systems, the criminal activity Akamai describes also afflicts WooCommerce, WordPress, and Shopify, showing the growing variety of vulnerabilities and abusable platforms that are available for attackers, according to Akamai. This campaign seems to be a long-term effort that works to conceal itself by setting up C2 nodes in victims' websites, creating a host by which they can then distribute malware to other secondary retail websites. Some of the deceptive hosting operations involve repeat victims. The researchers say they've seen a host abused twice, once in the initial infection, and a second time when the threat actors employ their web skimmer. To obfuscate and hide their code, the actors have imitated third-party services like Google Analytics and Google Tag Manager.

XeGroup's recent criminal activity.

Dave Bittner: Another report on skimmers claims to have identified the individual behind a series of incidents. The hacking outfit XeGroup, active since at least 2013, uses a multitude of tactics, techniques, and procedures in its cybercriminal activity, Menlo Security reports. The gang has been observed having involvement in supply chain attacks that resemble Magecart. The gang has also been seen creating fake websites in order to lift personal information, as well as selling data on the dark web. The Hacker News reports that the gang has been known to compromise Internet-exposed servers with well-known exploits and monetize the intrusions by installing password theft or credit card skimming code for online services. One of the identities of an associated hacker has been revealed as Nguyen Huu Tai, seen also going by the names Joe Nguyen and Thanh Nguyen. The researchers assess that it's highly likely that this threat actor is based in Vietnam.

Apple denies FSB allegations of collusion with US intelligence services.

Apple denied working with NSA or any other agency to backdoor its own products in the interest of espionage or surveillance, Reuters reports. In response to FSB charges that Apple had colluded with the U.S. National Security Agency to enable surveillance of Russian iPhone users, Apple said it had never worked with any government to insert a backdoor into any Apple product and never will. TASS reported the FSB's allegations yesterday, saying that, the information obtained by the Russian special services demonstrates close cooperation between Apple and the U.S. national intelligence community, in particular the U.S. NSA. They claim that Apple provided U.S. intelligence services with data. The FSB's claims have been received with some skepticism. Wired, for example, characterizes the allegations as wild.

Kaspersky investigates compromised devices.

Dave Bittner: Meanwhile, Russian cybersecurity firm Kaspersky has observed zero-day exploitation of some of its iPhones by an unknown APT using imperfectly understood techniques. Kaspersky doesn't offer any attribution for the operation, dubbed Operation Triangulation, and doesn't allege Apple collusion with the attackers. The exploit is delivered via iMessage and is triggered without user interaction. The researchers are still analyzing the final payload, and so far have determined that the code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as a plug-in module from the C&C server. The company describes the payload as a fully featured APT platform. Kaspersky says that Operation Triangulation has been in progress since 2019, and that it continues into the present.

NoName057(16) targets Lithuania following the country’s decision to classify Russia’s actions in Ukraine as terrorism. 

Dave Bittner: Russian cyber auxiliary NoName057(16) has been conducting DDoS and defacement campaigns against Lithuanian websites this week. On Monday, the group posted on its Telegram page that they would begin attacks against Lithuanian targets in response to the country's continued support of Ukraine and the decision to classify Russia as a terrorist state. The Lithuanian government statement reads, the war against Ukraine by the Russian Federation is a genocide of the Ukrainian nation carried out by Russia. The Russian Federation is a country that supports and executes terrorism. NoName claims it has attacked 39 Lithuanian websites since Monday, May 29th. The group this week seems to have focused principally on Lithuania, with a few attacks against Latvia interspersed with its actions against Lithuanian targets. The group's attacks seem to be randomly dispersed across sectors that include agriculture, financial, and energy.

US Department of Defense provides Starlink services to Ukraine.

Dave Bittner: And finally, the U.S. is funding Starlink communications for Ukraine, C4ISR.Net reports. Because of the sensitivity of the nature of the services provided, the Department of Defense provided no information on their cost, duration, or coverage. Starlink has, over the course of the war, provided valuable and resilient connectivity to Ukraine.

Dave Bittner: Coming up after the break, Johannes Ullrich from SANS describes phony YouTube live streams. Our guest is Sherry Huang from the William and Flora Hewlett Foundation to discuss their grants funding cyber policy studies. Stay with us.

The William and Flora Hewlett Foundation is providing grants to fund cyber policy studies at four institutions serving diverse student populations: Spelman College in Atlanta and Tallahassee's Florida A&M University, two historically Black institutions; Florida International University in Miami, a Hispanic serving institution; and Turtle Mountain Community College, a tribal college in Belcourt, North Dakota. To learn more about the grants, I spoke with Sherry Huang, interim Program Officer for the Cyber Initiative and also the Special Projects Fellow at the Hewlett Foundation.

Sherry Huang: The Hewlett Foundation has had a pivot or, like, has increased the momentum of focusing on racial justice since 2020 and the murder of George Floyd. And so across our program areas, we've been thinking of ways to center diversity, equity, inclusion, and justice in our grant-making. And in that stream, the Cyber Initiative has also been thinking about how we can help diversify the cyber policy field, a field that we've been building and nurturing for almost 10 years. And to give a little bit of context, our approach to funding the cyber policy field is through three core pillars. So number one, we seek to build a set of core institutions, whether it's think tanks, or academic programs at universities, or other nonprofits. And then we also focus on the talent pipeline. So we fund degree programs at universities and fellowships at think tanks to have a steady pipeline of experts coming into the tech policy field. And then our last pillar is more related to translation infrastructure, working with journalists in the media to help socialize and also make the concepts of cybersecurity and cyber policy more accessible and approachable to the general public. So with the shift of the Hewlett Foundation to focus more on diversity, equity, and inclusion, the Cyber Initiative has also looked into different ways that we can help diversify the cyber policy field. And we had a evaluation of our cyber talent pipeline strategy in 2021. And one really big finding that came out of it is that, hey, we've been doing a really good job building the talent pipeline but predominantly for predominantly white institutions. And there is still a very big gap in representation from other, more diverse communities in the U.S. And so one of the recommendations that came out of that was to look more at other minority-serving institutions, including historically Black colleges and universities, Hispanic-serving institutions, and tribal colleges. I mean, the evaluation really focused on HBCUs. But as we started thinking about what we want to focus on in the last two years of the Cyber Initiative, we really wanted to broaden our view to not only focus on historically Black colleges, but also include other communities that have been marginalized and historically underrepresented. And so for our round of grant-making, we decided in the end to fund two HBCUs, one Hispanic-serving institution, and one tribal college. And they are Florida A&M University and Spelman College -- these are our two HBCUs; Florida International University -- this is our Hispanic serving institution; and Turtle Mountain Community College, that is based two and a half hours outside of Minot, North Dakota, and that is our tribal college.

Dave Bittner: And what types of grants are we talking about here? What are those specific things that -- that this money will fund at these universities?

Sherry Huang: So we're looking at general operating support grants. For those who aren't as familiar with philanthropy, a lot of funders, they give project grants, which are often tied to a specific project that they are interested in or a specific issue area that they're interested in. From the Hewlett end, we are working to give more general operating support grants that basically gives our grantee partners a lump sum, and they can decide what they want to do with it as long as it's for a charitable purpose. Through general operating support grants, our grantee partners, they can build -- whether it's a new degree program at their university or a brand-new cyber policy center. They can decide to use those funds to hire more faculty, to give scholarships or fellowships to their students. Basically, anything they want to do that will help build a talent pipeline of students through an interdisciplinary program is what we're looking for.

Dave Bittner: And -- and how do you measure success? What -- what sort of feedback do you get from these institutions to report back on what they're doing?

Sherry Huang: That's a really good question. I would say the measure of success number one is whether they have been able to create a formalized program. So some of these institutions, they currently already have existing cyber policy programs, and our funds will just help them grow it and expand it even more. Other institutions, they currently do not have a cyber policy-focused program there. So they're going to build it from scratch. So I would say the first measure of success would be, is there a formal -- formal program in a couple of years. Number two, I would say, the capacity is very important for, like, all sorts of institutions. And one thing that we've learned from interviewing, like, more than 20 experts and partners in the field is that oftentimes, for minority-serving institutions or, like, non-predominantly white institutions, there is a shortage of capacity, especially at the mid-level faculty level. And so the second measure of success would be whether these institutions have been able to use our funds to build more institutional capacity so that their faculty aren't overstretched. They -- they have time and space to really focus on working with their students and working on the research areas that they care about and see as important for the field. The number three, I would say, the last measure of success is more long-term and whether this -- these programs are able to continue. So oftentimes, we see initiatives where a funder comes in. And once the funding period is over, the institution itself isn't able to attract more long-term, sustainable funding, and then that program just peters out. And that is the last thing we want to see. So from the start, we've been working with our grantee partners on how to think about what happens after the end of the Hewlett funding period. So do they have strategies and plans in place to cultivate independent revenue streams that would allow them to sustain this program beyond Hewlett support. And I think this -- this conversation, we have already launched it. And it's an ongoing conversation because we really want to see these efforts sustain. And just one thing I forgot to mention is that our ultimate goal is to see these first four grantees as anchor grantees, and hopefully they will inspire more minority-serving institutions or other institutions that have a large body of historically diverse communities as their students to start thinking about, hey, whether cyber policy and tech policy is a program area that I want to start offering at my school. Like, do I want to start focusing on this at the institution level as well. So we really hope that they are the initial start, but that their impact and their work can inspire more work across the country and also globally.

Dave Bittner: That's Sherry Huang from the Hewlett Foundation.

And joining me once again is Johannes Ullrich. He is the Dean of Research at the SANS Technology Institute and also the host of the "ISC Stormcast" podcast. Johannes, it's always great to welcome you back. You and your colleagues have been tracking some YouTube live streams that have been advertising cryptocurrency, but there's more than meets the eye here. Yes?

Johannes Ullrich: Yeah. It's sort of interesting in a couple of ways. Now, first of all, the scam itself, I think, is fairly obvious -- has often been done. You do see a YouTube video usually claiming to be a live stream and usually involving some personality that you may be interested in. Like, what I've seen just yesterday was Elon Musk talking about the latest SpaceX update. So that's how the video was advertised. When you click on it, you don't see a live stream, you see a recording of Elon Musk, which itself wouldn't necessarily be that malicious, but then fairly early in the video, there's a little overlay that's being displayed. It shows a tweet by Elon Musk -- at least it claims to be a tweet by Elon Musk -- and a QR code telling you, hey, if you scan this QR code, I'm giving away cryptocurrencies today because after all, I became the richest man in the world because I like to give money away. That's how it usually works. All right? So -- [laughter]

Dave Bittner: I remember when Bill Gates was the one who was giving away all of his money. [laughter] [multiple speakers]

Johannes Ullrich: Yeah, he was giving away. I guess he's poor now, and he gave all away -- his money away and no longer, but Elon Must --

Dave Bittner: Yeah.

Johannes Ullrich: -- is sort of [inaudible] cryptocurrency [inaudible] a personality that's -- that's being used here. And at the site itself, then offers a fairly straightforward scam. You're sending Bitcoin or a couple different currencies they usually use to this account and hey, magically, you'll get twice of what you send back. The sad part is the Bitcoin address, at least that I looked at yesterday, it already had received like $25,000 worth of Bitcoin. So --

Dave Bittner: Wow.

Johannes Ullrich: -- people apparently are falling for it. But so this scam is pretty old. But what got me interested into it is the YouTube channels they're using are not newly created scam channels. You would think that they'd just set up a new channel and post their little videos.

Dave Bittner: Right.

Johannes Ullrich: There's a problem with that. Imagine you play with YouTube a little bit as well. You need actually subscribers to your channel for people to actually watch it.

Dave Bittner: Right.

Johannes Ullrich: Some of these channels were created, like, back in 2008 and such. They had 2 million subscribers. So they've weren't small channels. But apparently what happened here was that the channel itself was active at a time. Well, creator fatigue set in or whatever. It sort of was no longer maintained, and then someone took it over. In some cases, I was able to actually track it down where credentials were stolen. So someone phished these creators and then got the credentials for a YouTube account and just outright stole it. There have actually been a couple of cases where channels were sold for a little bit of money, and they're now being used for these scams. So just because a channel is popular, has a lot of subscribers, doesn't necessarily mean that it's a reputable channel in that sense.

Dave Bittner: I -- I suppose there's a lesson here too, that perhaps it's in your best interest, if you're a regular viewer on YouTube, to go through the channels you subscribe to, and if something hasn't updated in a while, or certainly in a couple of years, unsubscribe. Get it out of that feed. Don't -- don't help feed those algorithms.

Johannes Ullrich: That's probably a good idea. Yeah. And -- and then in case that channel does ever get taken over, you can now -- you're no longer exposed as -- as much as you were before. Now, the ads I've seen, I don't think any of these channels I subscribe to, but it was also like the channel for example, with the supposed SpaceX video, well, it was a space-related channel. So I'm a little bit a geek, I guess. So I watch a lot of those type of videos, which probably is why the algorithm fed it to me.

Dave Bittner: Right. Right. And the -- and the scam itself -- I mean, it's fascinating because it's a -- it's a legit video of someone like Elon Musk doing a legit presentation. So they're using the fact that that part is legit to overlay the scam using the reputation and the legitimacy of the original presentation.

Johannes Ullrich: Correct. And that probably also helps with algorithms, again, you know, if you have a personality like this that people are interested in. And so that may bring that again at the forefront of more -- more viewers.

Dave Bittner: Yeah.

Johannes Ullrich: Google itself does a little bit fil-- not Google, YouTube. YouTube itself does a little bit filtering here. There is a lot of talk also in these creator community about whether or not you're allowed to use swear words in the first 10 seconds of the video because that's apparently sort of what YouTube is reviewing, when they are sort of seeing some videos that are all of a sudden very popular and such. Then again, if you just wait till those 10 seconds. And of course, there's lots of experiments that people are doing -- legitimate creators are doing in order to figure out, you know, how to best use these monetization algorithms in YouTube. So you basically have to figure out yourself that you have to place this fake ad in order to sneak past some of the reviewing they may be doing.

Dave Bittner: Yeah. All right. Well, something to keep an eye out for. Johannes Ullrich, thanks for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. Be sure to check out this weekend's "Research Saturday," my conversation with Brigid O Gorman from Symantec. We're talking about Lancefly -- a group uses custom backdoors to target orgs in government, aviation, and other sectors. That's "Research Saturday." Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our Mixer is Tré Hester with original music by Elliot Peltzman. The show was written by Rachel Gelfand. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.