Action in the cybercriminal underworld. Russia’s FSB and SVR are both active, and so are their hacktivist auxiliaries. NSA offers advice on configuring next-generation firewalls.
Dave Bittner: Open Bullet malware is seen in the wild. Threat actors exploit a Salesforce vulnerability for phishing. BlueCharlie (that’s Russia’s FSB) shakes up its infrastructure. Midnight Blizzard (and that’s Russia’s SVR) uses targeted social engineering. How NoName057(16) moved on to Spanish targets. Robert M. Lee from Dragos shares his reaction to the White House’s national cybersecurity strategy. Our guest Raj Ananthanpillai of Trua warns against oversharing with ChatGPT. And NSA releases guidance on hardening Cisco next-generation firewalls.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, August 3rd, 2023.
Open Bullet malware campaign.
Dave Bittner: Kasada is tracking a malware campaign targeting users of the often-abused open-source penetration testing tool OpenBullet. Threat actors are spreading malicious versions of the tool containing malware designed to steal cryptocurrency. It’s a novel infection vector, Kasada says, but it’s well-adapted to stealing from gangs who use cryptocurrency for their transactions.
Threat actors exploit Salesforce vulnerability.
Dave Bittner: Guardio discovered a zero-day vulnerability affecting Salesforce’s email services and SMTP servers. Attackers exploited the vulnerability to launch phishing campaigns targeting Facebook accounts: “Guardio Labs’ research team has uncovered an actively exploited vulnerability enabling threat actors to craft targeted phishing emails under the Salesforce domain and infrastructure. Those phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook’s web games platform.”
Dave Bittner: Salesforce issued a patch for the flaw on July 28th. The company said in a statement, “We value the contributions of the security research community to help enhance our security efforts, and we are grateful to Guardio Labs for their responsible disclosure of this issue. Our team has resolved the issue, and at this time there is no evidence of impact to customer data. We continually encourage researchers to share their findings with our team at email@example.com.”
BlueCharlie (that’s the FSB) shakes up its infrastructure.
Dave Bittner: Industry research has been exposing Russian cyber operations, and the increased light this has shed on their activities has led Russia's FSB to add a number of domains to its attack infrastructure the better to escape unwanted scrutiny. Recorded Future reports that the FSB activity it tracks as BlueCharlie (Microsoft calls it "Star Blizzard," formerly "Seaborgium") has registered ninety-four new domains for its infrastructure. That infrastructure supports credential-harvesting, intelligence collection, and hack-and-leak operations. The FSB's targets are Ukraine and members of the NATO alliance. The hack-and-leak operations follow an FSB tradition of going beyond simple collection and analysis to conduct activities online that create and develop narratives that support Russian disinformation.
Midnight Blizzard (that’s the SVR) uses targeted social engineering.
Dave Bittner: Microsoft reported late yesterday that the Russian threat group Midnight Blizzard (which Redmond formerly tracked as Nobelium, and which US and British intelligence services identify as an operation of Russia's SVR) is currently engaged in highly targeted social engineering attacks against a range of Western targets. The goal of the operation, as is almost invariably the case with SVR work, is espionage.
Dave Bittner: The present campaign is credential phishing, and it uses security-themed subdomains as phishbait. (The subdomain names often use homoglyphs--characters that resemble, to the eye, a letter of the alphabet, but which in fact are different characters entirely. For example, the Cyrillic letter that corresponds to the Greek rho might stand in for the Latin letter "p.") The attack is staged from previously compromised Microsoft 365 tenants owned by small businesses, and it's designed to capture authentication tokens that can be used in further attacks.
Dave Bittner: The attack typically proceeds in three stages. The first step is a request to chat in Microsoft Teams. That request often impersonates a technical support or security team member. The next step requests action on the target's authentication app, direction to enter a code into their Microsoft Authenticator app. The third step is successful multifactor authentication. "If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user," Microsoft explains. "The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow." From this point Midnight Blizzard enters its post-compromise phase, which involves information theft and, in some instances, the addition of a managed device to the organization's network.
Dave Bittner: The SVR is casting a wide net. Its targets are found in the government, non-governmental organization (NGOs), IT services, technology, discrete manufacturing, and media sectors.
How NoName057(16) moved on to Spanish targets.
Dave Bittner: Radware reports that the Russian hacktivist auxiliary, much of whose activity has been directed against Ukraine and its Eastern European sympathizers (notably Poland and Lithuania), claims to have conducted distributed denial-of-service (DDoS) attacks against Spain. The attacks began on July 19th and continued through the 30th. Radware reports that the attacks were timed to coincide with Spain's elections, and that their targets included two organizations involved with administering the elections: the Junta Electoral Central and the Instituto Nacional de Estadística. Most of the effects, however, were felt by the travel and financial services sectors, with telecommunications and news organizations also affected. Radware puts the total number of victims at around fifty. At the outset of the campaign, NoName057(16) published communiqués in its Telegram channel excoriating Spain for "waging a proxy war against Russia," and promising to make Spain feel the cost of its support for Ukraine.
Dave Bittner: NoName runs what Radware characterizes as a crowd-sourced botnet, "Project DDoSia," to whose members it provides client software that contributes to the attack traffic. "This is very aligned with IoT DDoS botnets," Radware explains, adding, "The difference? Instead of being installed on compromised IoT devices, it is installed on home PCs, mobile phones and cloud servers by volunteers." NoName also offers payments to members who make the most attacks. One of the unusual features of a NoName campaign is its reconnaissance. The group's admins "investigate the target website and identify the most resource-intensive parts of the site," thereby enabling their volunteers more effectively to choke the site with traffic.
And NoName057(16) hasn't confined itself to Spanish targets recently, either.
Dave Bittner: The Russian hacktivist auxiliary yesterday also claimed to have interrupted an Italian bank's website. MarketWatch reports that NoName057(16) said it conducted successful DDoS attacks against sites belonging to seven banks.. Italy's National Cybersecurity Agency said the banks reacted well and reported neither material damage nor compromise of customer data.
NSA releases guidance on hardening Cisco next-generation firewalls.
Dave Bittner: And, finally, the US National Security Agency (NSA) has issued guidance on how to harden Cisco next-generation firewalls (NGFW). NGFWs offer substantial security capabilities, but they require proper implementation. "Cisco FTD systems are NGFWs that combine application and network layer security features. In addition to traditional features, these NGFWs provide application visibility and controls (AVC), URL filtering, user identity and authentication, malware protection, and intrusion prevention," NSA says. The agency's Cisco Firepower Hardening Guide offers detailed advice on how to configure the NGFWs to defend networks against sophisticated and persistent threats.
Dave Bittner: If you use Cisco’s FTD, be sure to take a look at NSA’s advice.
Dave Bittner: Coming up after the break, Robert M. Lee from Dragos shares his reaction to the White House's national cybersecurity strategy. Our guest is Raj Ananthanpillai of Trua who warns against oversharing with ChatGPT. Stay with us.
Dave Bittner: Generative AI platforms like ChatGPT have proven themselves useful for a broad variety of tasks, but of course, there are concerns about users oversharing sensitive proprietary or personal information with them. Raj Ananthanpillai is founder and CEO of identity and risk-screening platform provider Trua. I spoke with him about his concerns with generative AI.
Raj Ananthanpillai: Unfortunately, people are putting all kinds of personal information, their family information, and so on and so forth. Remember, this is a one-way street. You can never go back to these generative tools and say, "Take out my name. Hey, delete my this or that." If you look at the terms of service, it is multipage, fine print. You know, you need a magnifying glass to even read it [inaudible]. That's how they are getting away with it.
Dave Bittner: Yeah.
Raj Ananthanpillai: And it is very, very dangerous, too, for personal information because they take all your input to fine-tune their algorithms over time. That's exactly what happens.
Dave Bittner: So you point out in some of your research that, you know, there's- there are things that I think people will put into this that they don't consider being personal information. For example, someone might upload a resume and say, "Help me reformat this resume." But there's all kinds of information on a resume.
Raj Ananthanpillai: Absolutely, because, remember, everything is scannable, right? So they scan. I don't know how they upload it. They scan it and then your name, the employer. So those are all what I call identifying information. At some point, right, somebody's going to use just like KBAs, knowledge-based authentication, remember, way back when or even some of the institutions use that. "Hey, what kind of car did you drive in 1992? What color was your car?" Or, "Where did you live during this year," right? Those are all historical information that are always being used for authentication purposes. And now imagine your employment history as part of your resume becoming part of that. That could be another dangerous avenue for somebody to act and start using you and your profile for fraudulent purposes.
Dave Bittner: So can we imagine that someone could go into, for example, a ChatGPT interface and say, "Tell me everything you know about Raj's work history."
Raj Ananthanpillai: Yes, you could, if it already has that, right, I've already put in there. Even otherwise, they're going to [inaudible] anyway. They go find different things already that's in the public domain, right? They're going to find something. Even today, you and I can Google, for example, about anybody any place, right? Whether it's true or not, that's different story, but they have enough information to go up and start interacting with you as if they are genuine, right? And that's all it takes for somebody to easily succumb to some of those frauds. Think about spoofing and think about phishing, right? They're being used as if it's coming from you. It's the same concept at a level that's probably 100 times more than what you're experiencing today.
Dave Bittner: You know, I think it's safe to say that there is true utility with some of these tools. But as you point out, I mean, it's so alluring to put information in there because the answers you get back, I mean, you hear people talking as if these things are almost therapists.
Raj Ananthanpillai: That is true. That is the thing about this ChatGPT. What happened was somehow this became a what I call a mainstream/consumer excitement. Usually these are technologies that are used by big corporations to [inaudible] to do big things, right? Somehow, it's got in to the mainstream consumer, you know, and everybody's just toying with it, in my opinion. That is the big thing. If you think about some of the major technologies, right, it took long time before consumers started using it, right? But they were not necessarily geared towards consumers.
Dave Bittner: Are there ways that people can use this sort of technology in a safer way? Can you- is it possible to run something like this on a local instance?
Raj Ananthanpillai: Yeah, as long as the provider of the tool assures you that your personal information is going to be erased right after that. Because you don't want to leave any personal information behind the scenes, right? Because they need that information to generate what we are trying to tell the tool to generate, right? So otherwise, it's going to be a garden variety [inaudible] response, so you're looking for specific input from this particular tool. So the key is to always minimize the number of personal information. Again, what you're looking from these tools is not necessarily anything absolutely personal. If they learn anything about you personal, it's going to take a while before you start gathering some of the personal information. But they're going to say, "Hey, how do I reduce my anxiety?" for example, right? "And my name is this. I work in this industry," right? Bingo, you put your name, you put your industry, everybody, so they're going to keep that for their future analysis purpose. But if you say, "I am, you know, Joe or Jane Smith, and I work in a fictitious industry," right? You don't care about it. You're looking for output from it. So that is how I would approach for a while until this dust settles.
Dave Bittner: What about business information? You know, I've heard of folks taking things like annual reports and uploading them to have them reformatted or reworded.
Raj Ananthanpillai: Big time no-no because it has some proprietary information, confidential information. That is the big no-no, in my opinion, because you are literally letting somebody else hack into it.
Dave Bittner: It strikes me that if you cut off access to ChatGPT altogether, that might not be the most practical path, but at the same time, you want people to be aware of the risks.
Raj Ananthanpillai: Yes, you can, you know, filter and control some of those kinds. For example, there are lot of tools out there, right, and, of course, you need to develop them. Like if you're trying to go to a porn site in a corporate environment, they block those things. You cannot do that, right? Many forward-looking organizations. Or if you're trying to go to a gambling site, you cannot go there from the computer. So similarly, we have provisions where if you have Social Security number or any personal information as you're inputting, it'll drop that e-mail right off the bat. So similar concepts have to be derived and developed for interacting with ChatGPT where there's a company information, or company proprietary technology, or whatever it is. You can eventually filter those things out.
Dave Bittner: That's Raj Ananthanpillai from Trua.
Dave Bittner: And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, it is always great to welcome you back to the show. The White House has been busy releasing a number of policy statements, and strategies, and so forth. I want to touch base with you, today, on the national cybersecurity strategy that they recently put out. What's your reaction to this?
Robert M. Lee: First of all, I'm always excited that the White House and various policymakers are putting cybersecurity in the forefront. And talking about it in a very positive way and having a lot of the good conversations, right? We've even seen out of this Administration, this group of policymakers, a differentiation between operations technology and IT, right? So there's just really good nuance and similar. When it comes to the strategy, I think it's a lot of the things that we've all been talking about, which is good, like they're capturing those. But as with most things, it's really gonna be left up to, you know, the details of how this gets implemented. And, you know, from my understanding of previous versions of the strategy, it sounds like the final draft was pretty neutered in comparison to what it started out as. And so I think on one hand, great job, having a strategy, putting it out there, capturing feedback from the community, and again, just making sure that cybersecurity is a top discussion. Cons of it is I think that the government, the US government, particularly, has had kind of some identity crisis of sorts on who does what. What are the actual roles and responsibilities of the different agencies? And what can you do, what can you influence, what choices can you make? And I think when I talk to a lot of the folks working on these documents, and working on these strategies, and they are some really fine Americans, and they're working really hard. One of the frustrations I constantly hear is for them to have an opinion get shot down. Like you almost have to have- it's not like don't violate laws or don't violate issues, which makes total sense. It's don't even get close to having a perception of perception issues. And so I think a lot of good people but working inside of a pretty restrictive environment where a lot of people don't want to have an opinion.
Dave Bittner: I think one of the things that people noted in this release was that it is very overt in saying who's responsible for what. Is that a good sign that things might be headed in the right direction?
Robert M. Lee: It's a good sign but this was the time to actually clarify with the so what. This was the time to actually say what are our expectations. You know, I wrote a- an op ed in CyberScoop about this basically just stating like the government has a very important role and responsibility to play, but so does the private sector. And it's really important for government to define the why, you know, why are we doing this. We're making some change. It's gonna have some cost. Why are we doing this? To then define the what, what outcome are you trying to achieve, and leave the how to the asset owners and operators in the private sector and similarly. Don't try to tell a pipeline operator how to run a pipeline. Leave that to the pipeline operator but set the why and the what so we all know and we all move in the same direction. And I think they've been really good on the why and I think the document represents that of like being overt and similar. I'm not so sure that I see the what as much in terms of like what exact outcome are you wanting. "Well, that's have secure by design." Well, what does that mean to you? Or, "Well, we should have more responsibility on, you know, the suppliers." I completely agree but what outcome would you like to see? And so I think that without being crisp on what outcomes we're chasing towards, which really is just setting requirements, nobody is really going to be able to come up with the how because we're not exactly sure what we're chasing.
Dave Bittner: What do you expect in terms of next steps from the government here?
Robert M. Lee: They'll have to, I mean, for this to be useful, which it can be. I'm not saying this is like some bad document. I think a lot of times also when I talk to policymakers and some are like any critique is like, "Oh, my God. You're bashing this." No, I'm not. I think there's a lot of amazing work here and there's a lot of good people working on it. But these are very serious topics. This is national security and, yeah, it matters. So what is the problem here? I don't see that the connecting down to the next step and it's vague enough that there's a lot of details that can just be run in circles like we've seen for the last like 15 years on this topic. So to make this useful, there will need to be kind of the underlining policies or strategies that come out below this that define that why and the what and talk about the mechanism for the how. Are we talking rate recovery for an electric utility to go do something? Are we talking regulatory pressure? Are we talking incentives? Like what is it that we have as tools to go achieve these things you want? I mean, suppliers. There are plenty of regulations on the asset owners and operators. I testified at my Senate hearing. There's not a lot on suppliers. I run a software company that develops software for critical national infrastructure. And we get deployed in everything from oil, and gas, and pipelines, and electric utilities, to nuclear power plants. We're pretty critical. And it is shocking to me sometimes how little I have in terms of oversight on my business or the choices I make. And I'm not screaming for more regulation. Trust me, I'm not like, "Yay, regulation," but it's imbalanced. There is not a lot of harmonizing, although they call that out and that's good. There's not a lot of harmonizing on the regulations that are on our asset owners and operators. The imbalance is obvious when you look at the requirements that are then on the suppliers. So they need to clarify that. They've said let's harmonize national regulations. Boy, that one alone is amazing. But what's the expectation? Is like are we going to get FERC, and EPA, and TSA, and everybody working together because somebody above them has the authority and is going to force that conversation? Or are we just going to say, "You all should harmonize," and then walk away, and hopefully, they someday get it, even though we've been saying that for at least 15 years?
Dave Bittner: When you look at this document, you know, your particular neck of the woods of critical infrastructure, OT technology, and security. Do you think the amount of recognition that area got in this document is balanced relative to the need?
Robert M. Lee: Yeah, I'm always going to advocate for more OT focus, but there is critical infrastructure focus in this document, so I don't feel okay to critique any like, well, what percentage it was. It got called out. It got specifically mentioned and talked about. And maybe this is just like trauma of the past, but for how long that's been ignored, like the critical part of critical infrastructure has been ignored for so long, even to get a mention, we're like, "Yay!" You know, it's like, "Whoo! They're listening!" So I'm not looking for the grand slam. I'm just looking for some acknowledgement that's from operations people and folks that are actually keeping the lights on, water running, manufacture goods. They're like, "They deserve a mention."
Dave Bittner: All right, fair enough. Robert M. Lee is CEO at Dragos. Rob, thanks so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. We'd love to know what you think of this podcast. You can e-mail us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.