Malvertising meets SEO poisoning. Fast moving on MOVEit exploit remediation. Ransomware trends. Cyberespionage, sanctions, and influence ops. Ave atque vale Kevin Mitnick.
Dave Bittner: Sophos analyzes malvertising through purchased Google Ads. The MOVEit vulnerability is remediated faster than most. The DeliveryCheck backdoor is used against Ukrainian targets. SORM is under stress. Ukrainian police roll up another bot farm working in support of Russian influence operations. AJ Nash from ZeroFox provides insights on the White House cybersecurity labeling program. David Moulton from Palo Alto Networks Unit 42 introduces his new segment "Threat Vector." And we bid farewell to Kevin Mitnick.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, July 20th, 2023.
Malvertising through purchased Google Ads.
Dave Bittner: Sophos has released a threat profile report for malvertising campaigns that use paid advertisements to infect victims with infostealers and backdoors. The threat actors have been using search engine optimization (SEO) poisoning to position themselves at the top of search results, thereby making users more ready to click malicious links and download malware. Sophos explains, “As well as conning search engines to try and get their malicious sites near the top of search results, they can also pay for the privilege: buying paid ads from Google so that their sites are guaranteed to appear prominently. This attack – known as ‘malvertising’ – is often aimed at users looking to download popular software applications.” (IcedID and Gozi are two malware strains particularly mentioned in dispatches.)
Dave Bittner: Malvertising isn’t a new tactic, but it’s growing in popularity, especially when paired with SEO. “In January 2023, for example, Tech Monitor reported that users searching for OBS (a screencasting and streaming app) saw as many as five malicious links at the top of the search results– which, if clicked, downloaded the Rhadamanthys infostealer. Spamhaus and Guardio Labs also reported on this increase.” Through its own research Sophos has determined that many of the malicious ads were in fact purchased and presented through Google Ads. And larger market trends are also reflected in the criminals’ ad buys. Sophos also noticed that newer malvertising campaigns tend to forgo previous fake advertisements for sought-after tools like WinRAR and Notepad++, instead targeting users searching for AI-related tools such as ChatGPT and Midjourney.
Dave Bittner: So the cyber gangs have recognized the truth of what Dorothy L. Sayers wrote almost a hundred years ago: it pays to advertise. (We note, in an aside, hey, good guys–we take advertising right here. Not from bad guys, but just from you.)
MOVEit vulnerability remediated faster than most.
Dave Bittner: Bitsight has published a report looking at organizations’ remediation of the various MOVEit vulnerabilities disclosed over the past few months: “We are observing what Bitsight calls ‘rapid remediation’ for these vulnerabilities. Typical remediation rates for software vulnerabilities are at a mere 5 percent per month, while these remediation rates are significantly faster. In a typical vulnerability remediation pattern, it would take 29 months to reach the same level of remediation we observe happening for MOVEit after just 42 days. In other words, organizations are remediating CVE-2023-34362 roughly 21X faster than what’s considered typical. The point? Organizations are taking these MOVEit vulnerabilities very seriously, and rightfully so.”
Dave Bittner: Bitsight believes the rapid patching is due to Progress Software’s “diligence in publishing timely and informative advisories,” as well as the US Cybersecurity and Infrastructure Security Agency’s timely and explicit alerts.
Ransomware report: US companies made up 51% of ransomware victims in Q2 2023, with LockBit taking first place among the gangs.
Dave Bittner: In its annual ransomware report, GuidePoint Security describes the current state of ransomware, what industries it affects the most, and casts a spotlight on threat actors. The report explains that ransomware has reached an all time high since GuidePoint Research and Intelligence Team (GRIT) has begun tracking it, and now seems to primarily affect organizations in the US which make up 51.74% of the victims reported. In comparison, the second most affected country is the UK which makes up just 5% of the reported victims. The industries most heavily impacted by ransomware, in Q2 2023, are manufacturing, followed by technology and banking and finance. By far the most prolific organization conducting these attacks is LockBit, with Alphv placing at second, and 8Base showing at third.
Dave Bittner: The criminal-to-criminal market has driven down costs and thus barriers to entry that the less skilled and more poorly resourced gangs would otherwise have to hurdle. While there’s a lot of reuse of code, and while potential victims are often alert to the older threats, what GuidePoint calls “smaller or less-resourced organizations” probably remain vulnerable. Thus the gangs’ attentions will in all likelihood be driven downmarket.
DeliveryCheck backdoor used against Ukrainian targets.
Dave Bittner: Microsoft, working with CERT-UA, has identified a novel ,net backdoor being deployed against Ukrainian and other Eastern European targets by the Russian threat actor Microsoft tracks as Secret Blizzard (also known as KRYPTON, UAC-0003, Venomous Bear, or Turla, and generally associated with Russia's FSB security service). The organizations that have attracted the FSB's attention are for the most part found in the defense sector. The attack begins with phishing, the phish hook being a document carrying malicious macros. These install a backdoor, "DeliveryCheck," which establishes persistence through "a scheduled task that downloads and launches it in memory." The backdoor is also in contact with a command-and-control server from which retrieves a variety of follow-on tasks. Various open-source and specialized tools (the latter include Kazuar, which Microsoft describes as "a fully featured Secret Blizzard implant") are used to exfiltrate messages from the Signal Desktop messaging application. The operators seem interested in private Signal conversations, documents, images, and archive files.
Dave Bittner: The activity isn't confined to Signal. Microsoft also observed the threat actor targeting Microsoft Exchange servers where it installs server-side components of DeliveryCheck using PowerShell Desired State Configuration (DSC). This approach uses a PowerShell script to place a .net payload into memory. This, Microsoft says, "effectively [turns] a legitimate server into a malware C2 center."
Dave Bittner: We note, in full disclosure, that Microsoft is a CyberWire partner.
SORM under stress.
Dave Bittner: A study by the Carnegie Endowment for International Peace concludes that sanctions have rendered Western technology increasingly inaccessible to Russia's government, and that this is placing Moscow's domestic surveillance apparatus, SORM, under stress. SORM rides atop Russia's ISPs and telcos, and those sectors are being hit hard by sanctions levied in response to Russia's invasion of Ukraine. "Ultimately, the FSB-led surveillance state envisioned by the Kremlin prior to the Ukraine war—and by the KGB in its Cold War heyday—is now beset by a potentially crippling web of dependencies," the report concludes. "Much about the program remains shrouded in secrecy. However, available insights suggest that SORM’s fate is largely anchored to that of the Russian tech sector." The Record points out one irony of the situation: about half of Russia's mobile infrastructure had been furnished by Nokia and Ericsson. Both companies have said they won't sell further systems to Russia, and their participation in the sanctions has been supported by Finland's (Nokia's home) and Sweden's (where Ericsson is based) decision to join NATO. Those decisions were given impetus by Russia's invasion of Ukraine.
Ukrainian police roll up another bot farm working in support of Russian influence operations.
Dave Bittner: Ukrainian police announced this week that they've broken up a criminal operation working from Ukrainian cities (most of the activity was in Vinnytsia, Zaporizhzhia and Lviv) that amplified Russian propaganda directed against Ukrainian popular opinion. The group is also said to have engaged in data theft and other cybercriminal activities. In addition to the arrests, police seized SIM cards and other hardware.
Ave atque vale, Kevin Mitnick.
Dave Bittner: And we conclude on a sad note. The well-known hacker, Kevin Mitnick, and in this case the over-used term “hacker” is apt, passed away on Sunday after losing his struggle against cancer. He was 59. If you’re unfamiliar with his career, he began hacking in an art-for-art’s sake spirit as a phone phreak when he was still in his teens. That he sometimes went too far may be seen in the prison term he served. That he did so in a quirky, not particularly vicious way may be seen in his Federal prosecutor’s testimony that Kevin didn’t seek to take a dime from those he hacked.
Dave Bittner: After his release in 2000, he reinvented himself as a white hat, in which capacity he did a lot of good. Since November 2011, he’d served as Chief Hacking Officer and part owner of the well-known security awareness training firm KnowBe4.
Dave Bittner: So rest in peace, Kevin Mitnick. And we offer our hopes that his colleagues, his friends, and especially his family receive comfort and consolation as they mourn. For our part, we’ll remember him as a nice guy and good company, and, again, we wish him rest.
Dave Bittner: The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Dave Bittner: It is my pleasure to welcome to the CyberWire podcast, David Moulton, he is the director of thought leadership with Palo Alto Networks Unit 42. David, welcome.
David Moulton: Thanks Dave, good to be here today.
Dave Bittner: So, this kicks off a series of segments that you and I are going to share together from Unit 42 and your colleagues there. Can we start off with some descriptive stuff here for folks who may not be familiar with Unit 42 at Palo Alto. What is the mission of you and your colleagues there?
David Moulton: So, Unit 42 is a threat intelligence business, it is an incident response business, it is a team of experts that can help our clients out with proactive assessments. So there's a variety of different things that Unit 42 does. The threat intel feeds into the technology that Palo Alto distributes out to the world. The understanding that we gain from incident response work and from working with companies on their strategies for proactive protection, are also baked into those technologies. And that meets our mission to make the digital world a safer place.
Dave Bittner: And so what are you hoping to achieve here by spreading the word via this podcast?
David Moulton: So Unit 42 has some of the most interesting stories, as you can imagine, from the threat research perch that we have, the relationships that we maintain with law enforcement agencies around the world. We also have a lot of insights and interesting stories to share from the incident response side. I believe it is helpful for us to talk about those learnings, those insights, and to help our listeners use those insights to better protect themselves and to think more deeply about their security strategies.
Dave Bittner: You know, there's really a sense of community here that comes into play, and I know that's important for you and your colleagues there a Unit 42. You know, it's I suppose on the one hand it would be easy from a business point of view to say, you know, we're going to keep everything close to the vest and try to have trade secrets and those sorts of things, but that's not really the philosophy that you all have adopted.
David Moulton: It's not, Dave. Unit 42 has been publishing our threat research for years. It's one of the top visited spaces within our domain. Our threat research articles are deep, they have actionable intel in them and have really established one of the aspects that we're most proud of about the brand is that anyone can come and learn, anyone can use that research, it's part of why we maintain such strong relationships with clients and with law enforcement, is that we don't hang onto everything ourselves. In security, sometimes it is a tendency to know a thing and keep it to yourself, whether it's an insight or yeah, you've had a rough day. I think there's some compelling reasons to stop doing that and that's part of what this show's about, that's part of what Unit 42's DNA is made of.
Dave Bittner: Can we touch on the global aspects of Palo Alto Networks itself and how having that global reach really contributes to the big picture, the information you all are able to gather and share?
David Moulton: Absolutely. When you think about any knowledge that a group or a person has, there're going to be gaps and biases. With Unit 42, we've got experts around the world, we've got telemetry that's coming in from deployments of technology at all types of different companies in different environments. And it's that global perspective and that large amount of observation data that we can start to draw together. And then use the expertise, the experience, the analysts, and the relationships that we have to figure out what matters most and to get that out quickly, into our technology and into our customers' hands so they can better protect themselves without having a very biased view, one that comes from just a GO or just a certain type of training, or just a certain type of security control.
Dave Bittner: I should mention the title of the segment is; "Threat Vector." Any particular meaning with choosing that name?
David Moulton: Well, yes. So when you think about threat intelligence, that's the core aspect of Unit 42. The threat intel drives so much of what we do, understanding the TTPs, understanding what different threat actors are doing, or not doing, you know if they move parts of their infrastructure from one space to another, you've got to interpret what that means. So we wanted to definitely lean into the idea of threat and then vector goes right there with it, where is it coming from? What is its angle? What is its velocity? And you know, I'm hoping to get something going here with my team, calling it "Threat Vector Thursdays" when we're appearing on the CyberWire Daily, so look out for that hash tag, Threat Vector Thursdays.
Dave Bittner: Fair enough. Well, I'm looking forward to what is yet to come. David Moulton is from Palo Alto Networks Unit 42. David, welcome to the CyberWire and thanks so much for taking the time for us today.
David Moulton: Absolutely delighted to be here. Thanks, Dave.
Dave Bittner: The Biden Administration announced a cybersecurity labeling program which aims to convince electronics and appliance manufacturers and retailers to make voluntary commitments to increase cybersecurity on smart devices, earning them a US Cyber Trust Mark on their products. AJ Nash is vice president and distinguished fellow of intelligence at ZeroFox. I reached out to him for insights on the White House initiative.
AJ Nash: The White House came out today and announced the new US Cyber Trust Mark Program. So this is being spearheaded by the FCC and I think it's a really interesting concept that's a great opportunity for public private collaboration. And the focus really is helping consumers understand the risks associated with a lot of the technologies that we've come to known and use regularly. A lot of smart technologies, whether it's smart appliances in the kitchen, whether it's your televisions, whether it's, you know, watches, fitness trackers, thermostats, you know, all the things that we use every day. There's a lot of risk associated with these technologies and the average consumer really doesn't have much of a way of understanding that. You know, it's very technical, it's, you have to be a bit of an expert in a lot of cases to understand these things. So the government is working with some of the largest companies, you know, brands and names we know, you know, Amazon and Google and Best Buy and LG and Samsung and some of those to develop a standard that can be applied to all of these technologies and I think there's going to be a, I guess there's going to be a little seal of approval on it, something to that effect, that says you know, this meets the standards of the US Cyber Trust Mark, right? And so there working with NIST on this, the National Institute of Standards Technology, for those who aren't familiar with the term, to develop standards for this. So I think it's great. I think it's virtually impossible right now for consumers to know should I buy this technology, should I not. I mean, I don't know about you but I have family members often come up to me and talk to me about this. You know, is this safe? Should we get this in the house? Should we not have it in our house? You know, should we have digital photo albums? Those kind of things come up a lot. And so I think, to be honest, I think this might be overdue. So it's great to see, it's going to take time, I mean they've got to develop the standards and figure it out where it goes, I don't recall seeing a timeline for this, other than I think by the end of 2023, NIST was going to have a standard for routers specifically.
Dave Bittner: Right, right.
AJ Nash: So it's obviously going to move somewhat quickly, but I think it's great. I think, I think it should make it much easier for the consumer to know you know, comparatively at least, is this a technology I should or shouldn't buy, compared to others and you've got to be able to understand your own risk, and this is going to empower people to make better decisions I think. Probably pressure technologies too, and companies to build better products out of the box instead of sending things off into the marketplace and then you know, discovering the vulnerabilities later, when people have been compromised and had to deal with those vulnerabilities.
Dave Bittner: It strikes me that this may be the cybersecurity equivalent of the Energy Star sticker that we've all grown accustomed to.
AJ Nash: Yeah, I think so, somebody else mentioned that earlier to me today as a comparison. I think it's a good comparison, right? You and I, I mean I can't speak for you, but I'm going to gamble that before that existed, you didn't know how much energy your refrigerator used in a year.
Dave Bittner: Right.
AJ Nash: You know, I think that's true, I think also, you know maybe some of the energy standards have been applied to cars, you know, if you look at the sticker price, it'll tell you how much fuel it's supposed to use over the year or something like that. So yeah, I think so. It's the kind of information that helps us make better decisions on what we purchase but we would never be able to calculate it ourselves. So as consumers, right now we're sort of in the dark on this. Which means you just have to trust whatever company you're working with and in a lot of cases, just kind of hope and a lot of data has been exposed through a lot of these technologies. You know, the fitness trackers come to mind specifically, I know a lot of people have, whether it's a Fitbit or Samsung or Google or Apple or whoever's on your wrist right now, you know, all these different trackers and technologies that are out there and I don't think people understand how much of that is unsecure right now and how you know, important that is for threat actors who want to track somebody down. Whether it's a stalker, you know, whether it's a nation-state trying to target somebody, there's any number of nefarious reasons to want to know where somebody is and when. And a lot of those technologies aren't well-secured.
Dave Bittner: Any thoughts on the FCC being the lead agency here? Does that, in your mind, does that track?
AJ Nash: Yeah, I mean I think that's where it belongs. You know, this falls in line with should the FCC does and this falls in line with their mission, right? You know, I think, I'm sure there will be speculation and debate, there's a couple other places that probably come to mind that people will take a look at. I think wherever something happens within a government administration, there's going to be detractors who say well, it should be here, it should be there. You know, I mean it's just either they work-- working with NIST I think is a fantastic thing, I think that's really important. You know, the Department of Energy is going to be involved in a collaborative effort as well, with National Labs, and I think you know, we'll probably see you know, some of the cybersecurity components involved, whether it's you know, Cyber Comm or CSR, whoever, I'm sure there'll be other bits and pieces tied to this. But yeah, to me it makes sense that the FCC is going to spearhead this, it seems like something that fits within their remit.
Dave Bittner: And how do you feel about this being a voluntary program, rather than compulsory?
AJ Nash: Well, I think that's always a good place to start. It's really hard for the government to come in and midnight things. A mandate is almost always you know, very unpopular, right? I think coming in and saying, we have a program, sure we'll make it voluntary. Listen, a lot of big names have already signed up to do this, a lot of big brands. I think the competitive market will probably end up taking advantage of that. You know, this is going to create a competitive advantage, if you have a product that has his seal of approval on it, for the average consumer, assuming this is well-understood, which as you said, like Energy Star for instance, they're going to have some marketing to go with this so people know what the stamp means, I think others will, they don't want to have to be compelled to do it. They'll have to do it if they want to stay in the market, if they want to stay competitive. So I think it's a wise place the start, to let's see how the competitive market handles it and then we'll go from there. Now if it turns out that really unsecure devices are undercutting the market by, you know, 50, 60, 70 percent in pricing and price is driving consumers to continue to buy risky things, I wouldn't be surprised if the government wants to incentivize a little bit more, but it's really hard to mandate things and they got off to a really slow start, and especially in a super politicized world and now you know, no matter who was in office, no matter which party was in office, no matter which party had congress, whatever it might be, they're going to argue with each other and mandates are just a great opportunity for somebody to poke a hole and turn it into a political, you know, football that says ah ha, see, they're expanding government, right?
Dave Bittner: Right.
AJ Nash: Finally just avoiding that pitfall is a nice place to go to say hey, we're trying to do something to make people say; we're not going to force it on you but here's the way it's going to work. I think that also avoids politics in a time when almost everything is political. So, it seemed like it made sense to me.
Dave Bittner: Yeah, I often joke that you know, you could hand out gold bricks and there'd be people who'd complain that they're too heavy.
AJ Nash: That's a good point. So same person's going to complain if they win the lottery and have to pay taxes, right?
Dave Bittner: Right. Exactly, exactly.
AJ Nash: It's always something. But I promise you, if they hand me a gold brick, I will not complain about the weight, and if anybody knows the winning lottery numbers for this week and hands them to me, I promise I won't complain about the taxes.
Dave Bittner: Deal. Alright, AJ Nash is from ZeroFox. AJ, thank you so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast, you can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment; your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.