The CyberWire Daily Podcast 8.9.23
Ep 1881 | 8.9.23

Cyberespionage by several intelligence services, some of contracted out. Developments in the cyber underworld. Vulnerabilities reported in CPUs. Some notes on Patch Tuesday.

Transcript

Dave Bittner: Reports of a Wide-ranging cyberespionage campaign by China's Ministry of State Security. EvilProxy phishing tool targets executives, and defeats multifactor authentication. Vulnerabilities in CPUs. Yashma ransomware targets a wide range of countries. MacOS threat trends. Is there a Russian attempt to disrupt British elections? Rob Boyce from Accenture checks in from the Blackhat conference. Maria Varmazis talking with Black Hat Aerospace Village's Kaylin Trychon and Steve Luczynski. Ukraine claims to have stopped a Russian spyware campaign. And Patch Tuesday has come and gone, but the vulnerabilities remain–unless, of course, you’ve applied the patches.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, August 9th, 2023.

Wide-ranging cyberespionage campaign by China's Ministry of State Security.

Dave Bittner: Recorded Future’s Insikt Group has published a report on RedHotel, a threat actor answering to China's Ministry of State Security, that's prospecting targets primarily in Southeast Asia but in other regions as wall. Microsoft tracks RedHotel as Charcoal Typhoon; Secureworks calls it Bronze University. The operation appears to be run for the Ministry of State Security by contractors operating from Chengdu. Recorded Future thinks RedHotel's activity is marked by unusual scope and intensity. "Since at least 2019," the Insikt Group writes, "RedHotel has exemplified a relentless scope and scale of wider PRC state-sponsored cyber-espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally. The group often utilizes a mix of offensive security tools, shared capabilities, and bespoke tooling." The shared, commodity tools include, the Record says, ShadowPad and Winnti; the bespoke malware includes Spyder and FunnySwitch.

EvilProxy phishing tool targets executives, and defeats multifactor authentication.

Dave Bittner: There’s always an offense-defense seesaw: one rises, the other sinks, and then the process repeats itself. That’s happening now in a spearphishing campaign Proofpoint describes in a report. 

Dave Bittner: Over the past six months the company's researchers have been watching a surge in cloud account takeovers. The threat actors involved have been using a reverse proxy tool, EvilProxy, in spearphishing campaigns that compromise multifactor-protected credentials and session cookies. It's an adversary-in-the-middle campaign specializing in advanced account takeover methods. 

Dave Bittner: That’s the seesaw: using reverse proxy tools is a foreseeable criminal response to the growing adoption of multifactor authentication security measures. Multifactor authentication remains an important security tool, but, as with any other technology, it isn't foolproof and doesn't amount to a panacea.

Vulnerabilities in CPUs.

Dave Bittner: There are two reports out this week on vulnerabilities in CPUs.

Dave Bittner: The first affects Intel products. Several generations of Intel’s x86 processors are vulnerable to a data leak flaw called “Downfall,” CyberScoop reports. Daniel Moghimi, a computer security expert at the University of California, San Diego, and Google found that an attacker running one application could exploit the flaw to “steal passwords, encryption keys, and other sensitive data” from another application.

Dave Bittner: Moghimi told CyberScoop, “When you have a vulnerability like this, essentially this software-hardware contract is broken, and the software can access physical memory inside the hardware that was supposed to be abstracted away from the user program. It violates a lot of assumptions we make in general about operating system security.”

Dave Bittner: Intel poured oil on troubled waters, saying in a statement that the attack researchers describe “would be very complex to pull off” outside of “the controlled conditions of a research environment.”

Dave Bittner: AMD processors also exhibit a vulnerability of their own. BleepingComputer reports that all AMD Zen CPUs are vulnerable to a hardware flaw that “can leak privileged secrets and data using unprivileged processes.” Researchers at ETH Zurich discovered the flaw and created an exploit called “Inception” that “creates an infinite transient loop in hardware to train the return stack buffer with an attacker-controlled target in all existing AMD Zen microarchitectures.”

Yashma ransomware targets a wide range of countries.

Dave Bittner: Cisco Talos warns that a new threat actor is using the Yashma ransomware against targets in English-speaking countries, and also in Bulgaria, China, and Vietnam. 

Dave Bittner: The researchers say, “Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone.” The hoods clock in and out just like the rest of us working stiffs, don’t they?

Dave Bittner: Talos also notes that the threat actor’s ransom note mimics the one used by WannaCry. And why not? If you’re engaged in extortion, what’s a little plagiarism among friends?

MacOS threat trends.

Dave Bittner: Bitdefender has published its macOS Threat Landscape Report, finding that “Trojans are the biggest single threat to Macs, accounting for more than half of threat detections.” The researchers state, “EvilQuest remains the single most common piece of malware targeting Macs, with a 52.7% share. It bundles a ransomware component designed to encrypt and pilfer the victim’s files, as well as a keylogger to record keystrokes and steal personal or financial data. While most antivirus vendors recognize and block EvilQuest, its continued abundance indicates that attackers still use it in a spray-and-pray fashion, hoping to catch unprotected systems in their nets.”

Dave Bittner: Attackers won’t abandon a tool just because it’s caught by upgraded security tools, or because the vulnerability it exploits has been patched. There’s usually someone who hasn’t kept up, and that’s a lesson worth remembering right after Patch Tuesday. 

Report: Data breach at UK's Electoral Commission may represent a Russian attempt to disrupt British elections.

Dave Bittner: The Telegraph reports that the ransomware attack and attendant data breach at the UK's Electoral Commission may have been directed by Russian intelligence services. It may have been intended to disrupt British elections. While the incident was detected in October of 2022, the Electoral Commission only yesterday issued a public notification of the attack. Considerable personally identifying information was exposed. As is so often the case with Russian operations, it will be difficult to distinguish conventional cybercrime from cyberespionage and state-directed influence operations.

Ukraine claims to have stopped a Russian spyware campaign.

Dave Bittner: Reuters reports that the Security Service of Ukraine (SBU, also known by its translated acronym SSU) said yesterday that a Russian attempt to compromise the Ukrainian Armed Forces' combat information system had been detected and thwarted. According to the Record, the SBU identified the threat actor responsible as the GRU's Sandworm. The Ukrainian security agency says it stopped the Russian military operation in its planning phases. Sandworm's goal is thought to have been the compromise by spyware of Android devices used in Ukrainian tactical networks, but the SBU didn't reveal the specific systems the GRU had targeted. Ukrainska Pravda cites SBU sources as saying Sandworm was trying to work from Ukrainian tablets captured on the battlefield. Their intention was to use those devices to access Ukrainian networks and use that access to spread about a dozen spyware programs.

Patch Tuesday notes, August 2023.

Dave Bittner: And, finally, August’s Patch Tuesday arrived yesterday. It saw upgrades to some widely used products from several vendors.

Dave Bittner: Adobe released patches for thirty vulnerabilities affecting Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020, SecurityWeek reports. Adobe said, “These updates address critical, important, and moderate vulnerabilities. Successful exploitation could lead to application denial-of-service, security feature bypass, memory leak, and arbitrary code execution.”

Dave Bittner: Microsoft patched thirty-three products, SecurityWeek reports. The company also released a “defense-in-depth update” to block the attack chain for an actively exploited Windows Search remote code execution vulnerability, CVE-2023-36884.

Dave Bittner: And Fortinet has issued a security update addressing a buffer overflow vulnerability (CVE-2023-29182) affecting FortiOS. The flaw “may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections.”

Dave Bittner: As CISA likes to say, “apply upgrades per vendor instructions.”

Dave Bittner: Coming up after the break, Rob Boyce from Accenture checks in from the Black Hat conference. Maria Varmazis speaks with the Black Hat Aerospace Village's Kaylin Trychon and Steve Luczynski. Stay with us.

Dave Bittner: Maria Varmazis is host of the "T-Minus" podcast, focusing on all things space. She recently spoke with the Black Hat Aerospace Village's Kaylin Trychon, Director of Communications, and Steve Luczynski, Board Chair, about the Aerospace Village non-profit, their mission, and their programs. Here's Maria Varmazis.

Maria Varmazis: Kaylin, Steve, there's a lot going on at the Aerospace Village in DEFCON this year. If you can start us somewhere and walk me through it, that'd be awesome

Kaylin Trychon: One of the things that I am just super proud of and excited for is the wide range of talks that we have in the village this year. You know, when we started this five years ago, we were the Aviation Village, now we are the Aerospace Village. And we are really seeing that come into itself. We have tons of talks over space, satellites, aviation, we also have one that has to do with weather and weather satellites.

Steve Luczynski: And weather balloons.

Kaylin Trychon: And weather balloons!

Maria Varmazis: That's super cool.

Kaylin Trychon: I think that what this shows us is that we really are bridging the gap and reaching the different communities that we are trying to reach by seeing the diversity in these talks. A few that I'm super excited for, and I think that our listeners will be excited to mark their calendars for, is one talk called "Winging It - Pen Testing 747." I'm a bit fearful of that, but I think it's going to be a really engaging talk.

Maria Varmazis: That feels like very DEFCON to talk about something terrifying and cool at the same time.

Kaylin Trychon: Exactly. And I think, you know, one of the things that we always say, and we really do promote it through our messages, is that, you know, we don't want people to cause hysteria and think that planes are falling out of the sky. We want to actually show the real-world security challenges that this ecosystem faces.

Steve Luczynski: To pile onto what Kaylin said, you know, that government side, the growth we've seen over these five years. We've got a person from TSA coming in to talk about the screening systems. And the cybersecurity involved with that. We've got two nice ladies from the Office of the National Cyber Director, and they're talking about things from national cybersecurity strategy and the workforce strategy that's recently published, but they also do work with the National Space Council. So their perspective from that high-level government side of things, all the way down to the deep technical and things like what Kaylin's mentioned on both space and aviation, I'm excited I get to do a talk with the TSA administrator. Hearing his perspective on both space and aviation and space related cybersecurity concerns, the industrial control systems at airboards, spaceboards, all of that. So in addition to the talks, we have activities that are very deeply technical and very complex on the run side of things. And we've also got activities that are very simple and straightforward in the like a crawl-walk-run mentality. So, capture the flag events being hosted by Boeing, by Lockheed Martin, the Aviation ISAC has brought in students from Embry-Riddle. We've got students in our talk track, we've got students running these capture the flags. We have other smaller companies, like CT Cubed and Telegenesis, showing some of their training systems. Some of the industrial control systems as it relates to runaway lighting and the security behind those and how they demonstrate that. SpaceX is going to have one of their ground stations there. It sounds like they're going to have a spacesuit and an engine. So it's just good to have some cool things to look at. We'll have an airbus cockpit. One of our -- yet another partner of ours, pen test partners, they have built an airbus cockpit and they use that to demonstrate --

Maria Varmazis: I'm sorry, a cockpit? That's --

Steve Luczynski: Yeah. And yes, it will be there for fun, the fun of flying it also. So, but demonstrating --

Maria Varmazis: The photos alone, right?

Steve Luczynski: Exactly. And they're going to have actual aircraft seats. So we're going to have, you can -- your experience of flying out there, being uncomfortable and flying home, you can do that in our village. So we have all of that. And one other event I've been working on this lately is an ask me anything.

Maria Varmazis: Yeah, yeah. Tell me about that.

Steve Luczynski: We've got all these experts, right? We've got experts that are volunteers. That our volunteers are pilots, former pilots, military, commercial, all the way to people who've done policy and government, policy and industry, the security researchers who are -- they've been doing it their entire career. And then we have all these partners and experts that are coming in either speaking or the activities that we talked about. And so folks want to learn from them. Where you can sit down and say hey, I want to learn about getting into cybersecurity. I want to learn about getting into cybersecurity in aviation or space sector. And you can hear from folks. They want to talk about where they work, if you want to know about it, great. But the idea is experience people who come from a government and industry and academic, a security researcher background. You can ask them any questions that you want. You can hear more about what they did, how they got in, the goods, the bads, all of those things.

Kaylin Trychon: And that brings us to what I'm going to call the satellite in the room here. Which is we haven't talked about in-depth yet, but this year, HACK-A-SAT finals are going to happen at DEFCON on a satellite that is in space. Moonlighter.

Maria Varmazis: That's so cool.

Kaylin Trychon: It is orbiting in space. It is so cool. I'm such a nerd. I'm so excited to bring HACK-A-SAT -- in this competition, I'm working with the Air Force and the Space Force to actually do this and have it be live in space with these finalist teams. I think it's just going to be something that is incredible. It's such a testament to all of the work that the community at the village has done.

Steve Luczynski: Well, and the beauty is, HACK-A-SAT covers both the activity side, like what Kaylin mentioned. So, both on the speaking side and come see it live and action side, we're going to have a CubeSat, the CubeSat, known as the project Moonlighter that Kaylin mentioned is a CubeSat launched in June, deployed off the ISS in July. That's what's orbiting, that's what they're hacking on for this capture the flag. But we have one because CalPoly's bringing one in. You can talk to folks about how it works and what it does.

Maria Varmazis: DEFCON is such an amazing, overwhelming event. Especially for someone who might be new. So I'm just going to close with like a newbie question. If somebody's going to DEFCON for the first time, and they want to go to the village, your village, what would you recommend they start with first? I know it depends on what they're interested in. But let's just, just go with that.

Kaylin Trychon: I would say it wasn't too, too long ago that I was a newbie DEFCON, DEFCONer. And I would say, you know, if you're entering the Aerospace Village, look for someone in a blue Aerospace Village t-shirt and just go up to them and ask them, you know, share what your interests are and we will help make sure that you have the best first experience that you can have. You know, we have so many incredible volunteers with such incredible backgrounds. And we want, you know, we want people to have a great experience and to take something away and to learn something they didn't know when they entered the village. So look for somebody in an Aerospace Village t-shirt. That is my advice.

Steve Luczynski: And I think what you led off with Maria is having tried to do everything at DEFCON because there's so many villages, so many activities, so many talks. You got to stand in line or you're going to miss out on the talk. Just pick something. Maybe it's our village for the entire day, we would love to have you, just like Kaylin said. Talk to somebody in a blue shirt or one of the nice neon vests that we're bringing this year. So you know who the volunteers are and they can point you in the right direction. But really, that focus, so you can actually enjoy DEFCON as opposed to just get totally whooped trying to do everything. Because we're only one small portion of DEFCON, right? So yeah, just being able to make your way around and calmly enjoy and spend time in each place is the recommendation that I offer.

Maria Varmazis: Some earned wisdom there, indeed.

Steve Luczynski: I don't follow it myself, but I offer it. And I try to do it, but I fail. So you know.

Maria Varmazis: It's a lot. It's a big event. Kaylin and Steve, I wish you all the best at DEFCON this year.

Dave Bittner: And a quick reminder to check out the "T-Minus" podcast right here on the CyberWire network.

Dave Bittner: And it is always my pleasure to welcome back to the show Rob Boyce. He is Managing Director and Global Lead for Cyber Resilience at Accenture. Rob, welcome back. And you are today our man on the ground at the Black Hat conference in Las Vegas. How you doing out there so far?

Rob Boyce: Surviving the heat, Dave.

Dave Bittner: Yes, indeed.

Rob Boyce: Very hot. But yeah, thank you, first of all, for having me. It's always a pleasure to talk with you.

Dave Bittner: Yeah. Well things are really kicking off, getting into gear today at Black Hat. I know there's a big keynote scheduled later in the day with Jen Easterly from CISA. What do you have on your schedule? How do you approach a show like this in terms of managing your time?

Rob Boyce: Yeah, it's actually a really interesting question, because as you can imagine, there's a lot to take in in just a couple of days. So, you know, I typically come with the agenda that I want to investigate. And I think this year, you know, data and AI being a huge topic of interest from all of the organizations we talk to. And I feel like almost every security company now is an AI company. So I was digging into that a little bit more on the agenda. And then the other thing that, you know, I'm finding super interesting, as you've already mentioned, Jen Easterly will be doing a keynote and Kemba will be, the Acting Director of EOP will be doing a keynote. So I think it's going to be super interesting. But the presence of the government is incredible this year. I think we -- I think if you've seen, many people already just, you know, trying to understand like how this collaboration with the government and this community is going to work. And it's clear that the government's doing amazing job with outreach this year. Not only are they having the keynotes, but they have invested in having the booths. They're recruiting heavily. We had a chance to talk with someone from CISA yesterday. And asked them very specifically, you know, how has the reception of the community been on your presence this year? And he said it's been very positive so far. You know, there's always that small group that is, you know, I want to say a little bit more skeptical of government collaboration.

Dave Bittner: Spot the Fed.

Rob Boyce: Exactly. Exactly. That's a game that we miss here because now everyone's a Fed at this point it seems like. You know. But I think it's, no, he said it's been very welcoming. And you know, if we really do want to have a private sector, public sector collaboration these are the efforts the government needs to put forward to try and reach out to the community. And get the support for the mission. And I think they've been doing a pretty good job on that. So, that's been interesting as well. And the last thing I'll say on my agenda, as I'm thinking to the show, is of course workforce resiliency and the talent shortage and how, you know, how we're addressing that. This is a huge recruiting opportunity for very, very top talent. Clearly as I said, the government's there. We are here. Actively recruiting as well. And it's just, it's interesting to, you know, just to have this talent in one place. And just be able to share ideas and so it's been super interesting. So those are -- so again, so to answer your question, Dave, like when I'm thinking about how to manage my time, I come here with my agenda, those were the three things I really wanted to dig into this year, and it's been interesting so far even though it's really day one.

Dave Bittner: Do you have any sense for where people stand in terms of their spirits? You know, we've been through -- a number of organizations have been through some layoffs. So, there's a little more uncertainty in the cyber world than perhaps we've ever seen before.

Rob Boyce: Yeah. I would say events like this have an opportunity to uplift people's spirits, honestly. Again, this community is so close that any opportunity we have to get together, share ideas, even, you know, just share ideas that you've had to bar, it's just, it's been a really, I think these are the opportunities we have to uplift the spirits of people. So, I think it's been great. And it is interesting, like you made a very good point. Like where we have been seeing layoffs and uncertainty but yet at the same time we're seeing such a huge demand still for skilled people in this industry. And it's almost like these two realities are at a bit of odds. And so, again, just like being able to be here and present with the community has been, you know, it's been really great. And I think the spirits in general have been pretty good.

Dave Bittner: What's your advice for that Black Hat first-timer who's feeling a little overwhelmed at everything to take in this week?

Rob Boyce: Don't connect to the hotel WiFi.

Dave Bittner: Fair enough.

Rob Boyce: You know, it's, honestly, it is overwhelming. And now that the -- we're seeing more of these focused villages pop up and you know, two of the things that I'm really excited to see are the AI hacking competition, the space hacking competition. And so you really do need to come with like where do you want to focus your time? Because there just is so many things to take in. It's just very hard. So you know, I guess my advice would be, you know, think through what it is you want to get out of being here. And then, you know, make a point to do that. Because it's very easy to get distracted very, very quickly while being here. That is for sure.

Dave Bittner: Yeah. Alright. Well, Rob Boyce is Managing Director and Global Lead for Cyber Resilience at Accenture. Rob, thanks for joining us, and good luck -- good luck with the week ahead.

Rob Boyce: Thank you, Dave. It's always a pleasure being here.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer, Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.