Anatsa Trojan's new capabilities. Third-party breach hits airlines. Gas station blues. What’s up with the Internet Research Agency? Infrastructure threats. And DDoS grows more sophisticated.

Dave Bittner: The Anatsa Trojan reveals new capabilities. Airlines report employee data stolen in a third-party breach. Canadian energy company SUNCOR reports a cyberattack. What of the Internet Research Agency? Microsoft warns of a rising threat to infrastructure. Joe Carrigan describes an ill-advised phishing simulation. Mr. Security Answer Person, John Pescatore takes on zero days. And DDoS grows more sophisticated.

Dave Bittner: I'm Dave Bittner, with your CyberWire intel briefing for Tuesday June 27th, 2023.

Anatsa Trojan's new capabilities.

Dave Bittner: The Android banking Trojan Anatsa has expanded its targeting to new banks in the US, the UK, and Germany, according to researchers at ThreatFabric. Anatsa is delivered via malicious apps in the Google Play Store, and it's been downloaded more than 30,000 times during the present, ongoing campaign. ThreatFabric says, "Once the device is infected, Anatsa is able to collect sensitive information (credentials, credit card details, balance, and payment information) via overlay attacks and keylogging. This information will be later used by the criminals to perform fraud. Anatsa provides them with the capability to perform Device-Takeover Fraud, which then leads to performing actions on the victim's behalf. Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it's very challenging for banking anti-fraud systems to detect it," so it's no longer a simple banking trojan. It's showing potential for imposing much broader effects than it has in the past.

Airlines report employee data stolen in a third-party breach.

Dave Bittner: Third-party risk continues to affect organizations of all sizes and across multiple sectors. This week, airlines are experiencing the challenge firsthand. A month and a half after learning of a data breach involving their employees. American Airlines and Southwest Airlines have determined that the incident originated with a third-party vendor, Pilot Credentials, which both companies used. In a statement sent to employees, American Airlines explained that they had learned about an incident that occurred on May 3rd, 2023 and subsequently launched an investigation. They say, "According to the third-party vendor, an unauthorized actor access to third-party vendor's systems on or around April 30th, 2023 and obtained certain files provided by some pilot and cadet applicants during our hiring process." The airline further explained that names, social security numbers, driver's license numbers, passport numbers, dates of birth, Airman Certificate numbers and other government-issued IDs were potentially taken. It's offering two years of IdentityWorks' identity monitoring service to all who were affected. Bleeping Computer writes that 5,745 personnel were affected by the breach. Southwest issued a similar disclosure. On June 23rd, the Office of Maine's Attorney General released a data breach notification for residents affected by the Southwest Airlines breach that put the tally of people affected at just over 3,000. Southwest is offering a two-year Equifax credit monitoring program to affected individuals.

Canadian energy company SUNCOR reports a cyberattack.

Dave Bittner: Sunday, June 25th, the Canadian energy company SUNCOR disclosed that it was the victim of a cyberattack. The company hadn't found any evidence that data regarding customers, suppliers, or employees were affected. Bleeping Computer reports that the company on Monday warned users that they might be unable to log into their accounts, and that there was an ongoing issue with customers' ability to accrue reward points. As of last Friday, many customers were tweeting that it is currently impossible to pay with credit or debit cards at Petro Canada stations, leaving cash as the only option. The company's carwash season passes also seemed to have been affected. Reuters sought more information from the authorities, but there was little on offer. They state, "The Canadian Center for cybersecurity had earlier said it was aware of reports of an incident affecting Petro Canada, but said it did not generally comment on specific cybersecurity incidents." Petro Canada tweeted some partial reassurance to customers. The gas stations are all open but customers may find some services interrupted.

What of the Internet Research Agency?

Dave Bittner: Turning to Russia's hybrid war against Ukraine in the wake of the Wagner Group's quickly begun, rapidly advancing, and then suddenly abandoned march on Moscow, people have begun asking what's up with some of Mr. Prigozhin's other activities? What about those trolls he runs, for example? The Wagner group isn't the only private enterprise that furnishes deniable support to Russian policy, Politico reminds its readers. There's also Mr. Prigozhin's Internet Research Agency, the notorious St. Petersburg troll farm that drew widespread attention for retailing disinformation, aimed at influencing elections in the US and elsewhere. How it will fare in the aftermath of its corporate sister's mutiny remains unclear. Politico writes. "Prigozhin has claimed on Telegram to have founded the U.S.-sanctioned Internet Research Agency, and on another occasion said he has interfered in U.S. presidential elections  through their spread of disinformation. In any case, the mutiny's aftermath can be expected to include heavy influence operations, directed for the most part at Russian opinion. Much of Mr. Prigozhin's influence operations shade into marketing, particularly in the African countries where his forces remain active. Lawfare yesterday blogged an assessment of how effective the Internet Research Agency has actually been. The group's influence has been easy to overestimate, but it can't be written off either. So the troll farm remains in business. Keep your eyes peeled.

Microsoft warns of a rising threat to infrastructure.

Dave Bittner: Yesterday, Microsoft offered an appreciation of Russia's likely courses of action in the cyberphase of its war against Ukraine, stating, "This, what we are experiencing now, has become a hybrid war, both kinetic and digital. The recent and ongoing cyberattacks have been precisely targeted, with the aim to bring down Ukraine's economy and government." Microsoft Digital Defense Report showed that the number of cyberattacks targeting critical infrastructure has grown significantly. The level of sophistication of cyberattacks is permanently evolving. The continuing convergence of IT and OT networks represents an increasing risk, especially given the relative fragmentation and impoverished security of operational technology. Microsoft says, "We identified unpatched high-severity vulnerabilities in 75% of the most common industrial controllers in customer operational technology networks." The company's report concludes with a set of recommendations that provide organizations with an eight-step approach to improving infrastructure security.

"The equivalent of a cave man with a club" (but getting more dangerous).

Dave Bittner: And finally, distributed denial of service, that is, DDoS, is showing signs of growing sophistication. Normally, it's just been a nuisance, like kids who won't get off your lawn (kids who ought to know better). One of the experts cited by The Washington Post in a story on that growing sophistication made an alley-oop comparison. It's caveman stuff, right? And indeed, DDoS has for some time been both a commodified nuisance, and one of the defining features of Russia's cyber campaign against countries sympathetic to Ukraine. CloudFlare CEO and co-founder Matthew Prince told The Post, "In the world of cybersecurity threats, it's sort of the equivalent of a caveman with a club." It's not particularly sophisticated but can obviously do a lot of damage. What we have seen is that the clubs continue to get bigger, and the cavemen have gone from knocking down your website which is embarrassing, but may not be all that harmful, to now going after what can be much more critical, attacks against the Domain Name System and layer seven attacks, which hit the application layer of the network. The newly emergent sophistication isn't confined to Russia's cyber-auxiliaries, but it can be expected to manifest itself in that quarter. Expect KillNet to put down that club and pick up a baseball bat, and expect them to get off their dinosaurs and into some cars, not some good ones you understand, probably used Ladas, maybe the four-door, kind of the Babushka bomb. Still, faster than most dinosaurs.

Dave Bittner: Coming up after the break, Joe Kerrigan describes an ill-advised phishing simulation. Mr. Security Answer Person John Pescatore takes on zero days. Stay with us.

COMPUTER-GENERATED VOICE #1: Mister.

COMPUTER-GENERATED VOICE #2: Security.

COMPUTER-GENERATED VOICE #3: Answer.

COMPUTER-GENERATED VOICE #4: Person.

COMPUTER-GENERATED VOICE #1: Mister.

COMPUTER-GENERATED VOICE #2: Security.

COMPUTER-GENERATED VOICE #3: Answer.

COMPUTER-GENERATED VOICE #4: Person.

John Pescatore: Hi, I'm John Pescatore. Mr. Security Answer Person. Our question for today's episode, "Seems like every day this year, a new zero-day vulnerability has been found in Android, iOS, Windows operating systems or in major applications. What's going on? Are the software players getting worse at secure software development or are the researchers and bad guys just getting better at finding more obscure vulnerabilities?" Let's narrow down the wiggle room before I answer your timely and interesting question. First, there really isn't just one definition of what a zero-day vulnerability is. NIST doesn't even have a definition in any of their publications. The closest is zero-day attack, an attack that exploits a previously unknown hardware, firmware or software vulnerability. But that definition doesn't define previously unknown. Is it unknown by anyone, or could it be known by the developer but unknown to the owner of the software, since no patch or warning of the vulnerability has been provided. The definition I like to use is closer to what Mandiant uses. A zero-day vulnerability is one discovered either before the developer does, or before the developer has provided a patch or mitigation guidance to customers of the impacted software. Using Mandiant's published statistics, we see 20 zero-days were made public in the first quarter of 2023, but if that rate of zero-day discoveries continues all year, we'd see about 80 zero-day vulnerabilities by the end of 2023. That would be a 40% increase over the 55 found in 2022. That is still a bit below the record year of 81 zero-days that were exposed in 2021. There are two major classes of zero-day vulnerabilities. The first comes from developers making mistakes which are known stupid programming tricks and should have been avoided. The frequency of these can and should go down as responsible software companies make investments in secure software development lifecycle programs that include developer training and use of tools to detect known vulnerabilities in code. The second class is when security researchers, either responsible professional ones or criminal ones, think of new ways to attack code. We've seen a lot of that happening related to APIs in common use in modern software. These are unpredictable and immediately impactful but should eventually (ideally, quickly_ turn into known stupid programming tricks. If software was like a big kitty litter box we were cleaning, obviously we'd like at some point to see nothing new coming up in a little cleaning scoop thing, but software is more like an infinite beach of sand with new cats moving in and scratching new pits in the sand all the time. We're never going to run out of either type of zero day being found in software. To build on that analogy -- actually, I'm going to abandon that analogy before it gets too gross. Let's focus on what enterprises need to do to reduce the risk of being damaged by attacks exploiting software vulnerabilities in general. The first step is raising the security procurement bar to drive all software vendors to reduce the frequency of stupid programming tricks showing up in the code you buy from them or download from GitHub for free. Check out the guidance materials available on safecode.org. Patching faster to reduce vulnerability windows is unknown and still necessary control. Software whitelisting and application control are the next big pieces, and those two techniques are widely in use already on mobile operating systems which is why we see very limited impact from zero-days being found on Android and iOS. I just can't resist going back to that analogy. If nothing else, we should all put more pressure on software vendors to filter their software litter boxes to finer grain scoopy things that remove the nasty stuff before we put food in the software vendor's bowls.

COMPUTER-GENERATED VOICE #1: Mister.

COMPUTER-GENERATED VOICE #2: Security.

COMPUTER-GENERATED VOICE #3: Answer.

COMPUTER-GENERATED VOICE #4: Person.

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person.

COMPUTER-GENERATED VOICE #1: Mister.

COMPUTER-GENERATED VOICE #2: Security.

COMPUTER-GENERATED VOICE #3: Answer.

COMPUTER-GENERATED VOICE #4: Person.

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to questions@thecyberwire.com.

Dave Bittner: And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast. Joe, welcome back.

Joe Kerrigan: Hi, Dave.

Dave Bittner: So our listeners are probably aware that you and I both reside in Maryland, and --

Joe Kerrigan: We do.

Dave Bittner: -- not far from us is Fairfax County, Virginia --

Joe Kerrigan: Yes.

Dave Bittner: -- when in fact, you and I have probably passed through Fairfax County in our travels many times.

Joe Kerrigan: Yes, it actually shares a river border with the county I grew up in, of Montgomery.

Dave Bittner: There you go. So there's a recent story in The Washington Post here about something that went a bit awry on the last day of school at Fairfax County public schools. So what exactly happened here, Joe?

Joe Kerrigan: So here's what happened. Teachers received an email saying, "Thank you for your service this year. We have partnered with this company called Company Rewards to give out gift cards for employees as a thank you for another successful school year," and the email included a link to redeem for a gift card, but if you clicked the link, you didn't get a link to a gift card. You got a link to a to a phishing training site. Right? So what this is, is Fairfax County is conducting, essentially, phishing training by sending in phishing emails that they control to keep employees on their toes, and this is a good policy in general, but like everything, it has to be done correctly. And, you know, there are companies out there like the sponsor of our show, KnowBe4, and other companies as well that help you do this. You can go out and buy a product, and you can provide them with an email address. They'll generate the emails, or you can generate your own emails.

Dave Bittner: Right.

Joe Kerrigan: And you can generate emails that are very crafted towards your audience, because that is exactly what attackers are going to do. They're going to craft these emails to look very much like something that you would receive or you would expect. They're going to do a lot of open source intelligence gathering, and they're going to use that information to build something that is highly likely to succeed. So there is something to be said for the forethought being put into this, but I have said on multiple occasions on this show and on Hacking Humans that this is- this kind of thing is not the right thing to do, where you start talking about people's incentives and start talking about bonuses or other things, or layoffs or something like that. That is something you leave to the bad guys, and rather than conducting these kinds of exercises where you send an exercise phishing email, to an employee promising a gift card or something, you say, "We're not going to do that. We don't think that's ethical," but the bad guys are going to do that, and you make that part of your regular security training, your regular security awareness training. So every time that you have people going through this training, say, you know, we're going to be sending out these phishing emails, but we're not going to do this, but bad guys will do this. Don't fall for this. We don't give out gift cards at the end of the year. We don't do that. That's not part of your employment contract. We have a contract. So these are- I believe these are unionized employees.

Dave Bittner: Yeah.

Joe Kerrigan: So they already have a clear contract. So it's perfectly fine to say that's not part of your employment contract. We're just not going to do that, so don't expect that from us, and if you see something from- that looks like it comes from us- in fact, there's a line at the end of this from a Mr. Walrod, who's actually the president of the teachers' union, one of the teachers' unions. He said, "We knew this one was real," talking about the apology email that came out from the superintendent. The superintendent did issue a profuse and profound apology saying that this shouldn't have been done, which is correct. It shouldn't have been done. But Walrod said that we know this one wasn't real, because it didn't offer us anything, right, which is kind of the- you know, he's being tongue in cheek but, you know, if you're in a union contract, you know, your- that contract is binding both ways, right?

Dave Bittner: Yeah, yeah.

Joe Kerrigan: So I think it's okay to say, you know, your contract doesn't have these kind of incentives or these kinds of things, so don't expect to see that. So this kind of stems back from 2020 when Fairfax public schools were subjected to a ransomware attack, something that's happened here in Maryland as well. I think Baltimore County public schools had something happen, very similar. And these kinds of things, these guys go after school systems.

Dave Bittner: Yeah.

Joe Kerrigan: So school systems are by no means exempt because they contain an absolute trove of personally identifiable information. If you're looking to get a bunch of stuff for identity theft, I can think of no better place to look at that than- look for that than stealing all the information on all the high school students in the school system, because these are people who are going to turn 18 in the next year and four years. You could you could create a bunch of fake identities around these people as they're coming -- you know, essentially synthesize personas for them.

Dave Bittner: Yeah.

Joe Kerrigan: And, you know, yes, that would make their lives more miserable, but hey, I mean, these criminals need to make a living too, right? Yeah.

Dave Bittner: So let me ask you this, because I think some of our listeners are probably thinking to themselves that old saying about how you practice like you play. And, you know, you want to- for a test like this to be realistic, you want to put people in the kind of situation that they might be faced with, and so we shouldn't go easy on them. We should send them the things, the hard stuff, you know, the ones that do get them- get their emotions out of whack. You don't agree with that.

Joe Kerrigan: I think it depends on the situation. There are places where I would agree with that. I don't think a school is one of them. You know, I would be much more willing to go play more hardball in the practice in something that deals with classified information --

Dave Bittner: Right.

Joe Kerrigan: -- national security, those kinds of things.

Dave Bittner: Right soldiers rather than teachers?

Joe Kerrigan: Yeah. Right, yeah. The people- you know, the people with real force, people that have the ability to use real force, those people I want more sharply trained, you know, that kind of thing. I think that here with a teacher and at the end of the time of the year, I think the better way to go about this is just a mandatory security awareness training session. It doesn't have to be a long one. It can be a 10-minute session --

Dave Bittner: Yeah.

Joe Kerrigan: -- that everybody watches a video on. Hey, coming to the end of the year. Here's the things to look out for. We're not going to do this. We're not going to do this. We're not going to do that. It's all a bunch of hooey if you see it. I think that kind of reminder is a much more pleasant way to go about doing it than this was.

Dave Bittner: Yeah, absolutely it is.

Joe Kerrigan: But I totally get the reasoning behind it. The reasoning behind it is not invalid. I just don't think it's- it's not- this is not a cut and dry situation. So, you know, I will argue this point with people and I will not call people that disagree with me wrong on it. I'll just say that I'm more correct.

Dave Bittner: Yeah, I think in this case, it's just it's ultimately corrosive with your --

Joe Kerrigan: Right.

Dave Bittner: -- you know, your co-workers, and so --

Joe Kerrigan: It is.

Dave Bittner: -- you just- you got to be sensitive.

Joe Kerrigan: Yes.

Dave Bittner: All right. Well, Joe Kerrigan, thanks for joining us.

Joe Kerrigan: My pleasure, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.