New phishing campaigns hit Microsoft 365 and Adobe users. Big Head ransomware. Multichain bridge compromised. CISA adds a KEV. Progress patches MOVEit. Telegram's role in Russia's war.

Dave Bittner: New phishing campaigns afflict users of Microsoft 365 and Adobe. An analysis of Big Head ransomware. Multichain reports a crypto heist with over $100 million stolen. CISA makes an addition to the Known Exploited Vulnerability Catalog. Progress Software issues additional MOVEit patches. The FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser joins us with examples of the agency's technical disruption operations. Our guest is Scott Piper, Principal Cloud Security Researcher at Wiz, sharing findings of their State of the Cloud 2023 report. And Telegram's role in news about Russia's war.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Monday, July 10, 2023.

New phishing campaigns afflict users of Microsoft 365 and Adobe.

Dave Bittner: Email security company Vade has detected a new email phishing campaign focused on Microsoft 365. The phishing email contains a malicious HTML file that runs JavaScript meant to collect the victim's email address, and update a fake login page with the information collected. The script then forwards the victim to the aptly named evilcore online. The researchers at Vade determined that the unknown actors are hosting their malicious HTML domains on glitch.me, stating, "We found results for related Microsoft 365 phishing attacks online, in which requests to evilcorp online were made for the phishing applications. Unknown phishers have leveraged the platform glitch.me to host malicious HTML pages." HackRead explains that, "Glitch.me is a platform that enables users to create and host web applications, websites, and various online projects. Unfortunately, in this instance, the platform is being exploited to host domains involved in the ongoing Microsoft 365 phishing scam." Vade's research also discovered a similar attack that spoofs the login for Adobe, and that uses the same domains as the Microsoft 365 phishing attack. Vade was able to establish a link between the spoofed web-login pages and an application named HawkEye, stating; "As reported by several cybersecurity actors like Talos, the original HawkEye Keylogger is a malware kit whose story began in 2013. Because several versions were introduced, we don't know if the authentication page is related to HawkEye Keylogger." So, the story, and the threat, continue to develop.

Big Head ransomware: an analysis.

Dave Bittner: Researchers at Trend Micro have released a technical report about a new ransomware family called, "Big Head," which emerged in May of 2023. Two variants have been observed. Trend Micro writes, "We discovered that both strains shared a common contact email in their ransom notes, leading us to suspect that the two different variants originated from the same malware developer. Looking into these variants further, we uncovered a significant number of versions of this malware." The researchers detailed three versions of the Big Head ransomware. The first seems to be strictly ransomware. The second however, incorporates an info stealer that Trend Micro calls "WorldWind" into the package. The third variant, called "Neshta," seems to be a supplementary file infector that, when employed with either the first or the second variants, can work to "serve as a camouflage technique for the final Big Head ransomware payload." Neshta can make an infestation look like a different type of threat; a virus, for example, that can muddle priorities and divert resources from countering the actual ransomware threat. Trend Micro assesses that the actors behind this new ransomware may not be very sophisticated. They say; "We also checked their Bitcoin wallet history and found transactions made in 2022. While we're unaware of what those transactions are, the history implies that these cybercriminals are not new at this type of threats and attacks, although they might not be sophisticated actors as a whole." Their report adds, "Moreover, advertising on YouTube without any evidence of "successful penetrations or infections" might seem premature promotional activities from a non-technical perspective. From a technical point of view, these malware developers left recognizable strings, used predictable encryption methods, or implementing weak or easily detectable evasion techniques, among other 'mistakes'." Sophisticated or not, the misdirection toward other forms of malign activity is a bit unusual. The bad actors more commonly try to deceive by misrepresenting malware as benign.

Multichain reports over $100 million stolen in crypto heist.

Dave Bittner: The Record reports that, "The crypto platform Multichain has suspended its services as it investigates claims that more than $125 million in crypto currency was stolen." Multichain is a cross-blockchain exchange service, a bridge, that allows users to exchange crypto currency between various blockchains and networks. In a July 6th tweet Multichain advised all of its users to suspend use of its services and “revoke all contract approvals related to Multichain.” CryptoMode reports that the theft covered several assets belonging to Multichain. The say the total haul from the theft amounted to a staggering $126 million. The Record says that this isn't the first time a cross-blockchain bridge has been targeted. They say; "Cross-chain bridges like Multichain continue to be a ripe target for hackers in 2023 after billions were stolen throughout 2022."

CISA makes an addition to the Known Exploited Vulnerability Catalog.

Dave Bittner: CISA has added CVE-2021-29256 to its Known Exploited Vulnerabilities Catalog. The flaw is a use-after-free vulnerability affecting the Arm Mali GPU Kernel Driver. Bleeping Computer notes that the vulnerability "can let attackers escalate to root privileges or gain access to sensitive information on targeted Android devices by allowing improper operations on GPU memory." CISA adds that Binding Operational Directive 22-01, "requires Federal Civilian Executive Branch agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats." Google issued a patch for this flaw last week, along with fixes for two other actively exploited Android vulnerabilities. More patches from other vendors may be expected tomorrow, which is, after all, Patch Tuesday. Updates are expected from both Microsoft and Adobe.

Progress Software issues MOVEit patches.

Dave Bittner: Security Week reports that Progress Software, whose MOVEit Transfer product vulnerability has been felt broadly across many sectors, has issued patches for three security flaws affecting MOVEit. The vulnerabilities could be exploited to steal information. The company says it will begin issuing service packs to simplify the patching process for its MOVEit products, stating; "These Service Packs will provide a predictable, simple, and transparent process for product and security fixes. We have heard from you that a regular cadence and predictable timeline will enable you to better plan your resources and make it easier to adopt new product updates and fixes. As a part of these Service Packs, we will also be optimizing the installation process to make the upgrade process simpler."

KillNet's aspirations to develop into a private (hacking) military corporation.

Dave Bittner: KillNet has continued to call for people interested in hacking in Russia's interest to join them, and the hacktivist auxiliary says it's offering training to those willing to sign up. The Record by Recorded Future reports that the individual who claims to be the group's founder and leader, known only by their hacker name, "Killmilk," is interested in transforming themselves into a private cyber military corporation, one that could be hired to attack NATO targets under Russian orders. This seems unlikely to happen in the near term. Killmilk's own conduct during the Wagnerite mutiny was sufficiently ambivalent to open the door for reasonable doubt concerning their political reliability. Unlike the criminal gangs who have made financially motivated attacks against targets in unfriendly states, Cl0p, for example, KillNet's mix of brag and DDoS may not easily be monetized.

Telegram's role in Russia's war.

Dave Bittner: And, finally, in a note from Russia's hybrid war against Ukraine, the Verge describes how Telegram, with its small staff, tolerant moderation practices, and large user base, especially in Russia and Ukraine, has enabled an outsized contribution to the sharing of war news. The social medium has been permitted to operate relatively unmolested by Roskomnadzor, Russia's Internet regulation body, at least since the last round of attempted censorship was abandoned in 2020. Instead, the social platform has been the locus of free speech, sound information, disinformation, contending narratives, and a range of conspiracy mongering. The Russian agency seemed to be leaving Telegraph largely alone because they believe they may be able to break its anonymity and track its users, if they haven't already done so. If you're a Telegram user in Russia, sleep with one eye open and keep a good scorecard of Kremlin talking points. Coming up after the break; The FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser, joins us with examples of the agency's technical disruption operations. Our guest is Scott Piper from Wiz, sharing findings from their State of the Cloud 2023 Report. Stay with us.

Dave Bittner: Scott Piper is principle cloud security researcher at cloud security provider, Wiz. They recently publish their 2023 State of the Cloud Report and I checked in with Scott Piper for the details.

Scott Piper: There's always been kind of an assumption that AWS is, you know, kind of the main cloud provider used by a number of companies and that really is playing out in the dataset that we see. No matter how we tried to slice and dice that data, you know, we did see that the AWS is the major cloud provider there. And by a pretty large gap as well.

Dave Bittner: What about companies sort of spreading their information among multiple cloud providers? What are you tracking there?

Scott Piper: So I think there's, there's this kind of myth that, you know, multi cloud, this concept of multi cloud is a common thing or that concept is that you have this, you know, single architecture that spans across multiple cloud providers and you're able to easily move between them, whether that's for, you know, disaster recovery, you know, purposes perhaps, or just you know, just the ability to move between them maybe to take advantage of, you know, various costs, better features of different clouds, and we really see that that's not the case, you know, companies tend to be focused very heavily on a single cloud provider. And so, and there's you know, a number of reasons for why that probably is. We didn't, you know, really try to identify in our data, you know, why that is. However, you know, there's an assumption that it's probably due to things like data gravity, that it's just difficult to try and move cloud, your data between the different cloud providers. You know, people tend to focus on the different clouds and the reason for that being is that they're very complex and that's some data points that we included in the report, was just showing the constant growth of the complexity of the cloud providers. And that's growing in every way that you can imagine, so you know, whether it's looking at the revenue growth, so we looked at the SCC filings of the different cloud providers, in order to see the growth of their cloud businesses, but also things like the API growth, so we were able to look at the SDKs of AWS and look at basically the API counts from, I think it was all the way back to 2016, and you can see there is just this constant steady growth of the number of APIs they have and what that means is that as the APIs are growing, the complexity of that cloud is growing. So not only does it have more actions, more APIs that you can take advantage of, what that means though is that there's more services, there's more features, each of those APIs themselves has growing number of parameters associated with it and so this complexity is just increasing and I think as a result of that, that's one of the reasons why companies really tend to focus on a single cloud is just that it's too hard to try and keep up with, you know, all the different cloud providers, all the different features they have and, you know, how you could potentially misconfigure them, whether that's, you know, security reasons or, you know, other types of misconfigurations you can make as well, you know, all these different reasons I think really, you know, are encouraging companies or motivating them to, you know, stay on the single cloud for most of their workloads. They really, I believe, my personal assumption is, the reason they're spanning some of these clouds, when they do have multiple cloud providers, tends to be things like acquisitions or just, you know, other events that are causing, you know, some of the different cloud providers to be used. But it's not really, in my opinion, not like a focused goal for them to attempt to use the other clouds.

Dave Bittner: But when you look at the information you've gathered here, what are the risks that organizations face? You know, based on the types of cloud usage that you're tracking.

Scott Piper: Interesting things about this report is we tried to not have the report exist as kind of a sales pitch for Wiz and so looking at the report, it's generally accessible to anybody that is interested in the state of the cloud in general, not even cloud security. And so I think that was kind of a different approach that we had with this report is, you know, a lot of times when people put together white papers like this, it's very much a sales pitch for their company in some way. And so we tried to, we tried to avoid that a little bit, but we did, we did discuss some things, so we did, for example, some research where we created some public S3 buckets in a couple of different ways, and we're interested in how quickly are those going to be found by attackers. And so we've seen some examples where it's, you know, fairly well-known amongst cloud security professionals that if you put in AWS access key on GitHub, that that access key is going to be found very quickly by attackers and they're going to, they have automated tools that are going to try to use those access keys to spin up crypto currency mining, is one of the common things that they do. But we were curious, what if we create a public S3 bucket with a completely random name, nobody can guess this name, and we reference it in a public GitHub repo, we just you know, basically provide a commit, merge that PR into a public GitHub repo and it just references a public S3 bucket. Will attackers find that through automated scripts or other means and try to list the contents of that S3 bucket. And so we did find that yes, they do that. And I can't remember the exact number, it was less than 24 hours though in which they were able to do it. I think it was maybe seven hours for this. And then another experiment we did was we've seen that there are tools that exist publicly that allow attackers to try and brute force guess the names of S3 buckets, so what you do is you basically provide these tools with the name of a company and then they're going to go through a word list in the same way you might perform password cracking, in order to guess names of S3 buckets that that company may have. So you can imagine, you know, if it was somebody trying to look for S3 buckets of Wiz, they might try S3 buckets that are named Wiz backups, Wiz logs, you know, various names like that. And Wiz, you know, various types of hyphens and you know, periods, you know, and other types of you know, separation characters in between those words, and so we're curious, well what if we create some of these S3 buckets with some common, you know, names of companies, you know, popular company names out there and create these S3 buckets and you know, turn on monitoring of them and see how long it takes attackers to find those. And so we found, I think for that one again the number was less than 24 hours and I think it was 13 hours for that one.

Dave Bittner: That's Scott Piper from Wiz.

Dave Bittner: And I'm pleased to be joined once again by Cynthia Kaiser, she is deputy assistant decorate for Cyber at the FBI. Cynthia, welcome back to the show. You know, you and I have spoken about how traditionally in the past, the FBI helped victims and often functioned in a reactive kind of way, but these days you have a broader set of tools available to you when it comes to cyber to the point of actually being able to go out and do some technical disruption. Can you share with us what sort of things can you do?

Cynthia Kaiser: Absolutely, I mean the FBI really has three jobs for the American citizens and American businesses, which is to try to take down adversaries and counter their operations before they ever get a chance to target the U.S., to share information and provide any assistance we can to stop a targeting once its-- stop targeting once it's occurred, and then to provide justice to, if you unfortunately become a victim to the victims as well as provide peace of mind and remediation assistance as necessary. So within all of that, I think technical operations fall within almost all of those but really in that kind of try to prevent space. So the FBI disrupted over 300 malicious cyber campaigns last year. Now that includes a lot of different actions, but many of which are highly technical and I think a great example of this, and a recent example of this, is our Operation Medusa. Now, Operation Medusa was conducted in May of this year, where we led a multi-agency joint cyber operation to global disrupt Snake, the most sophisticated cyber espionage tool designed by the Russian Federal Security Service, most people know them as FSB, and they used that for long-term intelligence collection and sensitive targets. So FSB used it to conduct operations against high priority targets, like government networks, research facilities, journalists, and their targeting was at random. Infection points may have been chosen because of their low security, innocuous reputation, or high traffic volume specifically to the information they held. Like foreign policy communications. We'd identified Snake infrastructure across 50 countries in North and South America, Europe, Africa, Asia, and Australia, including the U.S. and Russia itself. So kind of going into the operation, the FBI through its technical capabilities led an effort to mitigate the malware by disrupting its critical function. So we were able to, basically able to render it inoperable both in the U.S. and then with our partners, abroad. I think a great outcome and good read for your readers and I think you've talked about it on this show before, is the Cybersecurity Advisory that we put out, which is just a phenomenal piece, cyber threat intelligence, it's called Hunting Russian Intelligence Snake Malware, and it detailed not only technical mitigations or just the technical details behind the operation, but it had some of the strongest attribution language in there as well. And it really demonstrated the lengths that we had gone to technically to collect, to understand the adversary, and then to be able to counter it.

Dave Bittner: And there are diplomatic elements to this as well, I mean this really puts the message out to our adversaries and a way that is direct and straightforward.

Cynthia Kaiser: Absolutely. It puts the message out to our adversaries that we are going to ensure that we have our information correct, that we're going to be dogged in our pursuit of ensuring we understand the truth, and that we're going to share that with American businesses and the American public to make it known. But I like that, what you said about a diplomatic element there, because I think what's not often thought about when we put out things publicly is the diplomatic element and the space it provides our allies. To have a full technical details run down of exactly what another country has done, not just to the U.S. but to their own citizens, to people in our allies' countries. It gives them the ability to join us and speak with us and talk about cyber norms and the international stage in a way in which you can't do necessarily just with sharing classified information across borders. So these operations and publications provide such a key element in I think the global understanding and global cyber norming that needs to occur in this still relatively new space.

Dave Bittner: An operation like Medusa, where you're able to take down Snake, how much of a setback is that for an organization like the FSB?

Cynthia Kaiser: It's a huge setback. Taking down the tools or taking offline different backdoors, maybe like we did in the, in March, the March campaign, so we did that a few months later, in 2021, where China had put backdoors onto thousands of U.S. networks and we were able to, either through mitigation advice and publications, but then through a technical operation as well, shut those backdoors, not enable a massive campaign to continue, that's a huge blow to these organizations, because they're spending millions dollars and you know, putting thousands and thousands of hours against conducting operations like this, and we render them ineffective when we're able to conduct these operations. And we buy time so that they have to reconstitute, they have to try again, do all that work again, and that's time in which they're not targeting Americans.

Dave Bittner: For you and your colleagues there must be a certain sense of gratification as well personally and professionally.

Cynthia Kaiser: Absolutely, I work with some of the, you know, best people and I like to tell people a lot of times like I think I have the best job in Washington because every day I get to come in to work and know that I'm keeping my friends, family, and community safe. And that's what drives so many of the men and women across the FBI and especially at FBI Cyber is, they're not here for the money, trust me, they're here because they really want to make a difference and they get to see the difference every day and that's just exciting, it's exciting to know that you're playing that part in national security.

Dave Bittner: Cynthia Kaiser is deputy assistant director for Cyber at the FBI. Cynthia, thank you so much for sharing your expertise.

Cynthia Kaiser: Thank you so much for having me.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute a regular segment on Jason and Brian's show. We have a lively discussion every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment; your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.