Cl0p moves their way into the systems of major European companies. Notes from a highly active cyber underworld. And hybrid war updates.
Dave Bittner: The Cl0p gang claims responsibility for the MOVEit file transfer vulnerability. Verizon's DBIR is out. Palo Alto Networks takes a snapshot of last year's threat trends. A new criminal campaign targets Android users wishing to install modified apps. A smishing campaign is expanding into the Middle East. Cisco observes compromised vendor and contractor accounts as an access point for network penetration. Cyclops ransomware acts as a dual threat. Anonymous Sudan demands a million bucks to stop attacks on Microsoft platforms. Ben Yelin explains a groundbreaking decision on border searches. Our guest is Matt Caulfield of Oort with insights on identity security. And a deepfaked martial-law announcement airs on Russian provincial radio stations.
Dave Bittner: I'm Dave Bittner with your CyberWire Intel Briefing for Tuesday, June 6th, 2023.
Update: Cl0p claims responsibility for MOVEit file transfer vulnerability and subsequent data breach.
Dave Bittner: Yesterday, Cl0p told Bleeping Computer that it was responsible for the employment of the MOVEit Transfer SQL injection vulnerability. The vulnerability, which was added to the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerability Catalog last Friday, was first employed on May 27th, Bleeping Computer reported. Mandiant had associated exploitation of this vulnerability with Cl0p, as the gang had been searching for partners that use SQL injection. That attribution now seems to be confirmed. Sky News said that Cl0p had claimed responsibility for exploiting the vulnerability against several British and Irish companies, including the BBC, British Airways, Boots, and Aer Lingus, with the intention of stealing customer information as well as national insurance numbers. The companies at present don't believe their financial information was stolen.
Verizon's DBIR is out.
Dave Bittner: Verizon has released its 2023 Data Breach Investigations Report -- the DBIR -- finding that 74% of breaches involved a human element. This includes human error, privilege misuse, use of stolen credentials, and social engineering. Business email compromise attacks have also nearly doubled this year. The median cost of BEC attacks has risen to around $50,000. Fortunately, collaboration between law enforcement and banks aided over half of the reported BEC victims in recovering a majority of their money back -- almost 82%. Ninety-five percent of breaches were financially motivated, and ransomware attacks have remained steady, representing 24% of security incidents.
Threat trends: a snapshot.
Dave Bittner: In another study of recent developments in threat circles, Palo Alto Networks' Unit 42 has published a report looking at malware trends during 2022. The researchers observed a 55% increase in vulnerability exploit attempts compared to 2021. Many of these attempts involve the Log4j and Realtek supply-chain vulnerabilities. PDF attachments were used in 66% of attempts to deliver malware via email, and the researchers also found that the average count of malware attacks between 2021 and 2022 jumped by 238%.
New criminal campaign targets Android users who wish to install modified applications.
Dave Bittner: Researchers at Bitdefender have discovered what they describe as a hidden malware campaign, living undetected on mobile devices worldwide for more than six months. The researchers explained that the campaign is designed to aggressively push adware, a type of malware that forces unwanted ads into the victims' online experience. The campaign is probably capable of switching tactics and transitioning to pushing Trojans or other malware to the devices already infected. Bitdefender has observed over 60,000 different samples that carry this adware and the campaign, they believe, started in October of 2022. The applications that carry the malware are not available on any official app stores. Instead, they often pretend to be game cracks, free VPNs, Netflix, YouTube, or TikTok without ads, even going so far as to fake security software. The most popular downloads seem to be modified legitimate applications that the scammers claim have been enhanced for better user experience. The applications, once installed, aren't marked with an icon, making them more difficult to uninstall and potentially misleading the user into thinking there was a problem during the installation process. You know what they say. Good things aren't cheap, and cheap things aren't good. While nobody enjoys shelling out cash for games and premium services, it may be safe to say that malware may be even less desirable.
Criminal smishing campaign expands to the Middle East.
Dave Bittner: Group-IB warns that a Chinese-speaking phishing gang has expanded its targeting from the Asia-Pacific region to the Middle East. The gang, which the researchers call "PostalFurious," impersonated a toll operator and a postal service in the Middle East. In the former case, the scammers messaged victims with a request for immediate payment to avoid additional fines. In the other cases, they send bogus package delivery notifications by text message. The gang's motivation seems to be financial -- that is, straightforwardly criminal.
Using vendor and contractor accounts to penetrate networks.
Dave Bittner: Cisco Talos today released a report detailing attackers' targeting and abuse of compromised accounts belonging to vendors and contractors. While the researchers highlight that recent software supply-chain attacks, such as those affecting 3CX and MSI, have drawn attention, other links of the supply chain are easier to exploit and are often overlooked. Using and abusing VCAs allows for more access and privilege into systems that may not be identified in a timely manner, as trust in the third-party workforce provider may keep from a deep look into those accounts.
Cyclops ransomware as a dual threat.
Dave Bittner: The Uptycs threat intelligence team yesterday shared their discovery of a new threat actor called "Cyclops." The Cyclops ransomware-as-a-service offering is capable of infecting Windows, Linux, and Mac OS machines. The malware, researchers say, also contains a binary specifically for lifting sensitive data. Cyclops has been seen shilling its offering on forums and requests a cut of the profits if the malware is used. After the payload scans and identifies the processes that are running on the infected machine and retrieves all of the drive information, a ransom note is dropped. The note, a text file, redirects to an Onion site that promises to lead them on the road to recovery of their data if they pay up. Cyclops ransomware is said to share attributes with other ransomware families. The ransomware encryption logic in Cyclops is said to be similar to that of Babuk, and the encoding and storage of executable strings was observed in version 2 of LockBit.
Anonymous Sudan attacks Microsoft platforms and demands $1,000,000 to stop the attacks.
Dave Bittner: Anonymous Sudan began targeting U.S. organizations on Saturday in a new distributed denial-of-service campaign after the hacktivist took offense at comments made by U.S. Secretary of State Antony Blinken regarding a possible U.S. involvement in Sudan. The attacks, which originally targeted hospitals and the ride-sharing company Lyft, have now been refocused on Microsoft Outlook and Microsoft-owned OpenAI's ChatGPT chatbot. The group announced yesterday that they had disabled Microsoft Outlook in DDoS attacks which reportedly frustrated thousands of customers, CNN reported. BleepingComputer reported a global outage which prevented Outlook users from sending emails or managing calendars. After the attacks, Anonymous Sudan continued lobbing insults at Microsoft and even launched surprise attacks as they took offense to Microsoft tweeting that they had solved the issue impacting service. The group even went so far as to advertise their IT services to Microsoft for a million dollars. Today, the group announced that it would go after ChatGPT, posting that they had already run a test attack and would launch a real attack later in the day. They explained in a humblebrag sort of way that they had done all of this with Internet speeds reaching less than one megabit per second. Internet issues seem to have plagued the hacktivist group, as earlier this year, they complained of widespread Internet outages and appealed for Starlink to be opened in Sudan. In an attempt to gather attention, they claimed that they had shut down Twitter with a DDoS attack. The group has since announced a new attack on Microsoft products starting today at 11 a.m. Eastern time this morning.
Deepfaked martial law announcement airs on Russian provincial radio stations.
Dave Bittner: And finally, a bogus radio address misrepresenting itself as coming directly from President Putin aired Monday over some Russian radio stations near the border with Ukraine. In the broadcast, the faux Putin said that Ukrainian forces had crossed the Russian border in large numbers, that Russia had declared both martial law and a general mobilization, and that citizens in border regions should evacuate deeper into Russia. Official Russian media were quick to debunk the story, attributing the broadcast to hacking, and saying that in response to the incident, law enforcement and other local authorities had taken control of the local radio stations.
Dave Bittner: Coming up after the break, Ben Yelin explains a groundbreaking decision on border searches. Our guest is Matt Caulfield of Oort with insights on identity security. Stay with us.
IDave Bittner: dentity threat detection and response firm Oort recently released the 2023 edition of their State of Identity Security Report. Matt Caulfield is founder and CEO of Oort.
Matt Caulfield: We're at the very beginning of what's going to be a long journey. I usually use the analogy of, think of where your network security was maybe 30 years ago or where endpoint security was maybe 20 years ago. That's where identity security is today. We don't have, you know, endpoint detection response or even the anti-virus equivalent of identity security. So we're just getting started. People are just waking up to the fact that, although we've invested a lot in identity infrastructure -- single sign-on, directories, governance tools, password vaults -- we're just now getting started on tools that give us visibility across the IAM infrastructure that an enterprise might have in order to secure and understand that infrastructure and protect that identity attack surface.
Dave Bittner: Well, let's dig into some of the findings from the report here. What -- what are some of the things that caught your eye?
Matt Caulfield: Yeah. So we worked on this pretty diligently with our team. We have an in-house data science team that put this together. And, you know, there's some high-level takeaways that may not be all that surprising but really reaffirm the magnitude of the problem that I think we all understand intuitively. So we found that across 500,000 identities that we analyzed, over 40% of them had no form of strong MFA. And what that means is that they either had no MFA -- multi-factor authentication -- at all, or they're using a weak form of MFA, such as -- such as SMS, which is very easy to phish. So that's one big takeaway. Another is that, unsurprisingly, administrator accounts are much more likely to be attacked and taken over. And then, I think the third big takeaway that we found is that 25% of accounts in the average enterprise are just simply not being used at all. They haven't been logged in to for 30, 60, or even 90 days.
Dave Bittner: Well, let's go through some of the proposed solutions here. Or what do you all recommend?
Matt Caulfield: Sure. There's a lot that enterprise companies large and small can be doing to get ahead of this, and not all of them need to break the bank. There's plenty of low-hanging fruit that companies can take care of, starting with cleaning up, looking for some of these 25% inactive accounts, cleaning up accounts that haven't been used. I often use the analogy that a dormant account or an orphaned account is kind of like a -- a server sitting in a closet somewhere that hasn't been patched in the past five years. Accounts are no different, you know. Attackers are just waiting to take over those unused assets and then take over them. So cleaning up and identity hygiene has to be priority number one. And I think number two would be getting more visibility around the behavior of identities and doing more around what's called identity threat detection these days, looking for specific tactics, looking for indicators of compromise, and even looking for anomalies based on user behavior.
Dave Bittner: You know, your comparison to servers reminds me of that old story about how, you know, if somebody doesn't know what a particular server is doing, just pull the plug, and the person who's using it will come find you.
Matt Caulfield: Yes.
Dave Bittner: [laughter] I wonder if that applies to accounts as well.
Matt Caulfield: That 100% applies to accounts as well. In fact, we do -- we do this all the time. We suspend accounts on behalf of our customers for unused ones. And they're very, very cautious not to turn off the CFO's account or the CEO's account because that's what we would call a career-limiting move. [laughter] But yes, for your everyday users, it's actually quite a good way, especially for contractor accounts where you don't know if the contract is done or not. Turning them off, you'll know pretty quickly if it still needs to be used.
Dave Bittner: Can we dig into some of the specifics about MFA here because I think a lot of folks probably think I'm -- the fact that I'm using MFA at all puts me head and shoulders above the folks who aren't. Is -- to what degree is that the reality?
Matt Caulfield: So that's true. We've come a long way in the industry with MFA adoption. And so, you know, when you're trying to outrun the bear, you don't need to be faster than the bear, you just need to be faster than the guy who's still putting his shoes on. The same thing is true for MFA. So now that everybody's got MFA, everyone's got their shoes on. Now, it's a question of, well, who has a stronger form of MFA. And what we're finding is that not all factors, multi-factors, are created equal. Some of them are much easier to phish or man-in-the-middle than others. So for example, SMS is exceptionally easy to phish because it's just a code that you copy from one screen to another. And so you can imagine like, well, it's fairly easy for an attacker to pretend to be somebody from IT or support and say, hey, I'm from, you know, support at your company. You'll have just received a six-digit code. We're troubleshooting your account. Can you please send that over to me so I can continue what I'm doing? And oftentimes, that will work. And so we're seeing many companies try to move to stronger forms of MFA. So for example, FIDO2-compliant, phishing-resistant YubiKeys, for example, are one of the strongest forms, or biometrics that are tied to a device are another way that people are ramping up their -- the strength of their multi-factor. And we're seeing a lot of companies adopt passwordless. Often that's tied to factors that are, you know, difficult to phish. And because you don't have passwords, you're less likely to input, you know, the wrong password into the wrong screen.
Dave Bittner: Where do you suppose we're headed with this? Is this -- is it clear to you what the future may hold?
Matt Caulfield: I have my version of the future, which I think is that we'll never be perfect. In the same way that endpoints will always have vulnerabilities, in the same way that networks will always have back doors, there will always be a way to bypass MFA and single sign-on screens. What we need is vigilance and additional systems to provide visibility over these -- these critical pieces of infrastructure. And so if you imagine that, hey, we can't necessarily trust Apple or Microsoft to completely lock down their devices, so that's why we invest in EDR tools like CrowdStrike because, although Microsoft and Apple have been doing a much better job than in the past, we still want that extra layer of -- of insurance. And I think identity is the same way. We'll continue to evolve the identity infrastructure and invest in stronger forms of multi-factor and Okta and Microsoft and Duo and Google Workspace will continue to evolve with the security of their identity controls, but there will always be the need for security teams to have an additional layer of visibility to make sure that that IAM infrastructure is behaving as expected, and any new identity vulnerabilities are taken care of right away.
Dave Bittner: That's Matt Caulfield from Oort. The report is the 2023 "State of Identity Security Report."
And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hey there, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: So interesting development here. I'm referencing an article over from the EFF, the Electronic Frontier Foundation. This was written by Sophia Cope, and it's titled "Federal Judge Makes History in Holding That Border Searches of Cell Phones Require a Warrant." This seems to me like a big deal here, Ben. Am I correct?
Ben Yelin: To paraphrase our president from when he was vice-president, this is certainly a BFD. [laughter] So the case she is referencing in this piece as United States v. Smith.
Dave Bittner: Okay.
Ben Yelin: For a little bit of background, there has long been a border search exception to the warrant requirements in the Fourth Amendment of the Constitution. So the Fourth Amendment prohibits unreasonable searches and seizures. Searches have to be supported by a probable cause, a finding that has to be confirmed by a neutral magistrate. That's the essence of our Fourth Amendment.
Dave Bittner: Right.
Ben Yelin: But the Supreme Court has identified circumstances in which a search can be reasonable for Fourth Amendment purposes even in the absence of a warrant, and one of those exceptions has been for physical searches at the border. There's a public policy justification for that, which is that we have a broader public policy interest beyond just apprehending criminals to prevent contraband from coming in from -- from overseas. So this is a well-accepted exception. This has been considered under what's called the Special Needs doctrine at the Supreme Court.
Dave Bittner: Right.
Ben Yelin: This gets much more tricky when we're talking about the application to digital data. So there were a couple of other federal appellate courts who started to limit this generalized border exception under the Fourth Amendment. So for example, the Ninth Circuit, in a case called United States v. Cano, held that a warrant is required for a device search at the border that seeks data other than, quote, digital contraband -- something like child pornography. There's a Fourth Circuit case -- I believe we talked about it at the time -- United States v. Aigbekaen, if I'm pronouncing that correctly, which held that a warrant is required for a forensic device search at the border in support of a domestic criminal investigation. What this judge does here is go even further than previous appellate courts and holds that all searches of cell phones at the border require a warrant. And she does that by referencing the 2014 Supreme Court decision in Riley v. California. That decision held that even in a search incident to arrest, the government needs to obtain a warrant before it searches an individual's cell phone. And the impetus behind that opinion was that the cell phone holds a wealth of information. It's beyond a simple device. It has all of our private stuff in it.
Dave Bittner: Yeah.
Ben Yelin: All of our contacts, all of our emails. So it's just this mosaic of our lives that we've never encountered before. And for that reason, even if it is a search incident to arrest, then the government needs a warrant under the Fourth Amendment. So I think what this judge is doing is extending that logic to border searches. They're applying the same sort of balancing tests that the Supreme Court used in Riley where they're measuring the government's need versus the potential invasion of privacy. Certainly the government does have a need, does have a public policy justification for wanting information on people who are crossing our borders. I think everybody recognizes that need. But when we balance that against the idea that we're going to be warrantlessly searching people's cell phones, especially U.S. persons' cell phones, the balance just does not weigh in favor of the government. And that's true, according to this federal judge, whether the search happens at the border or anywhere else. So I think this is certainly a groundbreaking decision. We'll see what happens as it makes its way up to the Second Circuit Court of Appeals, where they -- they may or may not consider -- consider this decision if the United States chooses to appeal, which I suspect they will.
Dave Bittner: Yeah. So does this put us on a more likely path to the Supreme Court?
Ben Yelin: I'm not sure yet. I mean, I think certainly the potential is there. I've been looking for a border search case at the Supreme Court, and it was expecting that the next case we'd see there was -- was going to be on something narrower, like whether a warrant is required for a full, digital forensic search. This is such a broad question. I think perhaps the Supreme Court would like to see other circuits weigh in on this, to make sure that there's a split among circuits before they have an interest in taking it up. But it's certainly possible that we eventually see this in front of the Supreme Court, especially if the Second Circuit -- which I'll note has a pretty liberal majority -- especially if they uphold this decision from the District Court and the Supreme Court realizes that this presents a really novel issue of law that they need to weigh in on, then I think that we could see this come in front of the Supreme Court sooner rather than later.
Dave Bittner: Yeah. I -- I guess part of what rubs a lot of people the wrong way, and I would put myself in that category, is the degree to which the border is defined so broadly, right?
Ben Yelin: Right.
Dave Bittner: It's like, I mean, you imagine, you know, just everyone picture in your mind, you know, the border? Would you imagine it to be the border of the United States? And then, what is it, like, 200 miles arou -- around the edge of that border is what U.S. Customs and Border Protection claims to be their jurisdiction? And then measure the percentage of U.S. citizens who live out there day-to-day in that zone?
Ben Yelin: Right. Right.
Dave Bittner: It's just --
Ben Yelin: That 200-mile zone of the border.
Dave Bittner: Right. Because where did we build our cities? On the border. Where the ports are. And so it just, you know -- [multiple speakers]
Ben Yelin: Not to mention, it's people coming back from traveling overseas --
Dave Bittner: Right.
Ben Yelin: -- via airplane. So the fact that we're just going to abandon all of our Fourth Amendment protections because somebody traveled internationally?
Dave Bittner: Yeah.
Ben Yelin: I mean, that's certainly a question up for interpretation under the Fourth Amendment, I think. I think that's exactly what the judge is saying here.
Dave Bittner: Yeah. All right. Well, this is another one we're going to have to keep an eye on. But this one certainly caught my attention here. I -- I -- this was a -- a very interesting development, right?
Ben Yelin: Certainly is. Yes.
Dave Bittner: Yeah. All right. Well, Ben Yelin. Thanks so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our Mixer is Tré Hester with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.