A new Magecart campaign. Gootloader’s legal bait. Cryptowallet vulnerabilities. News from the hybrid war. And DARPA’s AI Cybersecurity Challenge.
Dave Bittner: A New Magento campaign is discovered. Gootloader malware-as-a-service afflicts law firms. Researchers find security flaws affecting cryptowallets. Panasonic warns of increasing attacks against IoT. A Belarusian cyberespionage campaign outlined. The five cyber phases of Russia's hybrid war, and lessons in resilience from Ukraine's experience. In our Threat Vector segment, Kristopher Russo, Senior Threat Researcher for Unit 42 joins David Moulton to discuss Muddled Libra. Kayla Williams from Devo describes their work benefiting the community at BlackHat. And a new DARPA challenge seeks to bring artificial intelligence to cybersecurity.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, August 10th, 2023.
New Magento campaign discovered.
Dave Bittner: Akamai is tracking a new card-skimming Magecart campaign that’s been exploiting digital commerce websites since January 2023: “In early 2022, the CVE-2022-24086 vulnerability came to light, enabling attackers to exploit the Magento template engine and execute arbitrary PHP code on susceptible targets. The exploit operates through multiple steps, with common attack vectors involving the abuse of either the check-out process or the wishlist functionality. Since its disclosure, this vulnerability has emerged as a primary entry point for numerous Magecart actors who are targeting vulnerable Magento 2 shops.”
Gootloader malware-as-a-service afflicts law firms.
Dave Bittner: Trustwave describes activity by the Gootloader malware delivery service, finding that just under 50% of cases involving Gootloader afflict law firms and their clients. Or potential clients. Its campaign is designed to gull people searching legal topics. Gootloader is distributed via watering-hole sites hosting phony legal documents, with SEO keywords such as “agreements,” “contracts,” and “forms.”
Dave Bittner: Trustwave writes, “Gootloader's SEO poisoning watering hole technique targeting legal-related search terms represents a significant threat to organizations or even individuals, seeking legal information online. By manipulating search engine results and luring unsuspecting users to compromised websites, Gootloader takes advantage of users' trust in search results to deliver malicious payloads.”
Dave Bittner: Who’s using Gootloader? It could be any number of people–it’s a malware-as-a-service operation, available for purchase by any number of shady customers in the C2C market.
Researchers find security flaw affecting cryptowallets.
Dave Bittner: Researchers at Fireblocks have discovered a set of vulnerabilities called “BitForge” that affect several cryptographic protocols used by cryptocurrency wallets. Fireblocks says, “If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor.” The company has provided a status checker to list vendors that have implemented fixes for the flaws.
Dave Bittner: The researchers note, “Of the wallet providers Fireblocks’ research team worked with to patch the vulnerabilities, Coinbase WaaS and Zengo were best-in-class in managing and resolving the issues in a timely manner, ensuring that their users were well-protected.”
Panasonic warns of increasing attacks against IoT.
Dave Bittner: Researchers from Panasonic, in a presentation at Black Hat, outlined an increase in malware attacks against IoT devices, WIRED reports. Yuki Osawa, chief engineer at Panasonic, said, “Attack cycles are becoming faster. And now the malware is becoming all the more complicated and complex. Traditionally, IoT malware is rather simple. What we are afraid of most is that some kind of a cutting-edge, most-advanced type of malware will also target IoT. So there is importance to protect [against] malware even after the product is shipped.”
Belarusian cyberespionage campaign outlined.
Dave Bittner: ESET researchers today announced their discovery of a Belarusian cyberespionage group ESET has given the unlikely name of "MustachedBouncer." Active since 2014 at least, MustachedBouncer targets foreign diplomatic missions to Minsk. The group uses lawful intercept tools to accomplish adversary-in-the-middle attacks "to redirect captive portal checks to a C&C server and deliver malware plugins via SMB shares." ESET believes ("with low confidence") that there's a good chance MustachedBouncer is collaborating with the often-overlooked and typically underachieving Winter Vivern, a russophone threat group that acts in the interests of both Russia and Belarus. The spyware implants MustachedBouncer deploys against its targets, "NightClub" and "Disco," are capable of audio recording, screenshot capture, and data theft. ESET warns that MoustachedBouncer is a skilled threat actor whose command-and-control is particularly sophisticated. The researchers recommend that organizations operating in countries where the Internet can't be trusted (like Belarus) should use "an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices."
Nuisance-level DDoS by Russian hacktivist auxiliaries.
Dave Bittner: The Russian hacktivist auxiliaries of NoName057(16) have continued their customary short-lived, nuisance-level distributed denial-of-service (DDoS0 attacks against European targets. The Record reports that the group has hit a range of Dutch and French targets. Dutch authorities describe the effects as "limited and symbolic." That’s been typical of the hacktivist auxiliaries' results during the hybrid war so far–not a digital Pearl Harbor.
Five cyber phases of Russia's hybrid war.
Dave Bittner: Victor Zhora, deputy chairman and chief digital transformation officer at Ukraine's State Service of Special Communication and Information Protection (SSSCIP)--effectively Kyiv's cybersecurity lead--said at Black Hat that Russian cyber ops would continue long after the end of kinetic combat. "Russia will continue to be dangerous in cyberspace for quite a long period, at least until a complete change of the political system and change of power in Russia, converting them from an aggressor to a country which should pay back for all they've done in Ukraine and also in other countries," the Register quoted him as saying.
Dave Bittner: Zhora divides Russian cyber operations into five phases:
Preparation. This began on January 14th, 2022, with WhisperGate wiper malware deployed against IT infrastructure and culminating in denial-of-service attacks that included, by Zhora's reckoning, the cyberattack against Viasat services. The influence campaign of this phase sought to induce fear, to get Ukrainians to "expect the worst."
Disruption. This phase, beginning in late February and continuing through the end of March 2022, was marked by wiper and distributed denial-of-service attacks.
Targeted attacks against infrastructure. This third phase, beginning in April 2022, saw a lower cyber optempo, but more sophisticated, more targeted attacks against infrastructure, including but not limited to the power grid.
Cyber attacks coordinated with kinetic strikes. The second half of 2022 was marked by cyberattacks that sought to hit critical infrastructure (especially water and power) while it was stressed by missile strikes. It culminated just before the new year.
Cyberespionage. The war is currently in this phase, marked by a shift away from destructive attempts and toward collection and cyberespionage.
Dave Bittner: All five phases have seen influence operations conducted in Russia's interest. Those have, indeed, been the enduring feature of Russia’s cyber war, which in most other respects has fallen far short of the devastating effects that had been widely feared.
Lessons in resilience from Ukraine's experience of hybrid war.
Dave Bittner: US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly yesterday discussed what the US and others have learned from Ukraine's resistance to Russia's hybrid war. The CISA head summarized what the present war has taught the world about how to build cyber resilience: "Doing the work up front to prepare for a disruption, anticipating that it will in fact happen, and exercising not just for response but with a deliberate focus on continuity and recovery, improving the ability to operate in a degraded state and significantly reducing downtime when an incident occurs." She explained that this will require conscious attention to, first, risk assessment (including the classic elements of vulnerability, likelihood, consequence, and threat), second, resilience planning (which should include realistic testing), and, finally, continuous improvement and adaptation (because the adversary learns and evolves, and the defender must do so as well).
A DARPA challenge seeks to bring AI to cybersecurity challenges.
Dave Bittner: And, finally, from the people who gave you the Internet itself, comes a challenge to develop innovative applications of artificial intelligence to cybersecurity. The AI Cyber Challenge, AIxCC for short, will be led by the Defense Advanced Research Projects Agency (DARPA). The goal of the challenge is to “leverage advances in AI to invent the next generation of cybersecurity defenses for today’s digital society.” It’s a public-private partnership. DARPA will be working with Anthropic, Google, Microsoft, OpenAI, the Linux Foundation, the Open Source Security Foundation, Black Hat USA, and DefCon to run the challenge. The first round of applications is due next month, as SBIR–Small Business Innovation Research–proposals. Seven will be selected for funding. Next August, at DefCon, the semifinals will select the top five teams, each of whom will receive $1 million. And at DefCon in August 2025, the winners will be announced. The team that places third will get $1.5 million. The runner-up will receive $3 million. And the winner’s purse will be a cool $4 million. For more, visit aicyberchallenge [dot] com. You and your robot friends should line up and sign up now.
Dave Bittner: The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Dave Bittner: Coming up after the break, in our Threat Vector segment, Kristopher Russo, Senior Threat Researcher for Unit 42, joins David Moulton, to discuss Muddled Libra. Kayla Williams from Devo describes their work benefiting the community at BlackHat. Stay with us.
Dave Bittner: In our sponsored Threat Vector segment, Kristopher Russo, Senior Threat Researcher for Palo Alto Network's Unit 42, joins host David Moulton to discuss Muddled Libra. Here is their conversation.
Kristopher Russo: Your biggest threat is probably not nation states, or APTs or whatever the latest zero-day vulnerability is. Your biggest threat is likely a highly motivated and determined attacker. One that knows where you keep your organization's crown jewels.
David Moulton: Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants, dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership, for Unit 42.
David Moulton: Today's episode is Part 1 of the story about Muddled Libra, a methodical group that poses significant threat to industries like telecommunication, technology and software animation. Today's guest is Kristopher Russo. Kris is a Senior Threat Researcher, with Unit 42. Talk to our guests a little bit about how you got into cybersecurity.
Kristopher Russo: Sure. So, I've been doing cybersecurity for many years now, and really what drew me to it was this insatiable appetite for just ruining bad guys' days. I love technology, and I love the way it can be used to improve people's lives, and at the same time, we've seen people take those same technologies, and use them to hurt people and destroy those lives. And so really, what I am here for, is to help put a stop to that.
David Moulton: Kris, in mid-June, you were the lead author on a threat group assessment for Unit 42 on the threat actor group, Muddled Libra. For listeners not familiar with Muddled Libra, can you give us a snapshot of the group, and maybe actually how it is different than Scattered Spider?
Kristopher Russo: Yeah, and most of my listeners have probably heard about Scattered Spider, or Scattered Swine, or Octopus, as they've been known. The commonality which binds all of these threat groups together is the use of the Octopus Phishing Kit. The Octopus Phishing Kit is a one-stop shop for quickly and easily constructing smishing pages, used to steal OTP codes from victims. What we found is that there are a number of actors using that phishing kit, and they've all been grouped together, and I think it's important to carve out what is arguably the most dangerous of those groups. We defined Muddled Libra as having several hallmarks unique to them, and these include the focus on outsourcing firms for attack, particularly with firms that have access to downstream, high-value cryptocurrency holders. We see them use legitimate persistence tools by trusted vendors to kind of fly under the radar in the environment, and probably most importantly, the type of data that they're after is very specific, and they are very thorough in finding it.
David Moulton: Can you share what defenders should be on the lookout for with Muddled Libra?
Kristopher Russo: First and foremost, the hallmark of this threat actor is the use of the Octopus Phishing Kit. And they use that to create lookalike authentication pages, and then contact victims to socially engineer them into going to these pages, and divulging their credentials. So we see the favorite lures of this group impersonating the organization's Help Desk, or warning the victim of work schedule changes. Anything kind of high priority, to get the victim to click through, and go to this phishing page. Once authenticated, this attacker will look to establish persistence in the environment by using commercial remote management tools. Now, what's unique with this threat actor is they'll often use many of these tools in one environment, to make sure that if one is identified, they can still maintain that persistence. After establishing a beach head, this attack will use standard penetration testing techniques and tools to elevate their access, explore the network, move laterally, and identify the information that they're after. This is likely where defenders will notice the activity. There is also an opportunity to find this activity when seeing large transfers via SSH out of the environment, or unusual transfers to commercial data-sharing websites.
David Moulton: In your article, you and your co-authors detailed an extensive number of conclusions and mitigations. What I want to hear from you about is the most urgent recommendations you would share.
Kristopher Russo: First of all, know your environment and know your users, so that you can see when anomalies happen in your environment. There are lots of good ways and good tools to do this, but what is important is that you can identify things that are abnormal. Train your users and your Help Desk to be on the lookout for unusual requests for authentication, for modification of MFA safeguards that could be adding a new mobile phone, or unenrolling an application. Use intelligent security automation that monitors and remediates anomalies on the fly in the environment to detect attacks early and stop them before damage can be done. And finally, practice good security hygiene, by identifying where your important data is in your environment, and protecting that sensitive data with additional controls, and making sure that only the folks that need access to it can access it.
David Moulton: Kris, thanks for joining me today on Threat Vector, and for talking about the threat group assessment research that you've done on Muddled Libra. We will be back on the Cyberwire Daily in two weeks, with the second part of our look at Muddled Libra, with Stephanie Reagan. Stephanie will share her insights and advise for fellow incident responders working to defend against Muddled Libra, and attackers like them. Until then, stay secure, stay vigilant, goodbye for now.
Dave Bittner: And it is my pleasure to welcome back to the show, Kayla Williams. She is the CISO at Devo. Kayla, I know you are-you and your colleagues from Devo are no doubt having a good time there at BlackHat, and doing all of the business-related things that you are there to do, but there is a lot more to that show for you and your colleagues there. You all have a lot going on this year.
Kayla Williams: Yeah, we certainly do. You know, and it's absolutely electric here, down on the show floor here at BlackHat, you know, we've had a lot of interaction with customers and prospects, and even just people who were just walking by, come and see our booth. We have a lot going on. It is so much fun.
Dave Bittner: Well, tell me about some of the initiatives that you all are sharing there at the show, I mean, these are things that extend beyond the business mission of Devo.
Kayla Williams: Yeah, so we actually have, at 3:00 p.m. on Wednesday, we have Dr. Chaz Lever, who is our Director of Security Research, and Josh Copeland, who is a Cybersecurity Director at AT&T, and also he is actually professor at Tulane University as well. They are going to discuss the risks and rewards of artificial intelligence, which we've had so much buzz around this topic, since Devo uses AI within our platform, and we're really starting to see an uptick in the interest, as is the rest of, you know, the industry and the attention on AI. We also have the launch of our "Rock the Sock, A Career Guide for Your First Analyst Role and Beyond," which was so much fun to create. It's a comprehensive book of career resources, guidance, and real-world insight from our contributors. So, you know, I don't want to brag or anything, but I contributed [laughs] a section [laughter] to the book, which I thought was really exciting.
Dave Bittner: [Laughing] Yeah.
Kayla Williams: But we also got to talk to YouTube content creator, John Hammond, and the Cyber SN Founder and CEO, Deja Diamond. She is hysterical, if you've never met her. I strongly recommend finding her, she is so much fun.
Dave Bittner: Yeah. There's also an initiative, I understand, that you're-you've got some resources to help combat burnout?
Kayla Williams: Oh, yeah. Talk about one of the industries that is hit with burnout so much, is certainly the cybersecurity industry, but I find through the research that Devo has done, but also just from like lurking around on social media, that our sock analysts out there are hit the hardest. So what Devo has done, for the third year in a row, we are having our SOC Analyst Appreciation Day, which was founded to celebrate our SOC Analysts, and encourage organizations to prioritize their mental wellbeing. That's in October, I believe. The full day is October 18 that we are going to be having that SOC Analyst Appreciation Day.
Dave Bittner: Nice. So you're speaking about BlackHat in general, for folks who, perhaps this is their first time there. Do you have any words of wisdom, as someone with a little more experience under your belt?
Kayla Williams: I would say, make sure that you're wearing comfortable shoes. I think that's the most important piece, you know, if you haven't been to RSA, it's the same thing, make sure you're comfortable. Because you do so much walking. But I would say also that you should capitalize on the networking opportunities, and that's not just speaking about on the floor, but going out, and attending the events that are being sponsored by all the different organizations, so if Devo has a few sponsored events as well, of course, you know I'd love to see everybody there. And you know, if you find something that, you know, is up your alley? Go for it! Don't be shy. This is-this is our time to come together as a community and get to know one another.
Dave Bittner: Before I let you go, can we talk real quick about Cyber Minds? It's an organization that I've spoken to, before. But you all are contributing to that organization at the show?
Kayla Williams: Yes, we are. So Cyber Minds is a not-for-profit organization focused on solving stress, burnout and anxiety within the entire cybersecurity community. And what Devo is doing, is we are giving them a lump-sum donation, and then an additional $10 for every bad chip we scan at our booth. So I highly encourage folks, please come stop by our booth. If not for, you know, me and my amazing colleagues and our absolutely phenomenal platform, but to come and stop by, so that we can scan your badge, and donate to a good cause [background music begins].
Dave Bittner: Alright, fair enough. Well, Kayla Williams is CISO at Devo. Kayla, have fun there in Vegas. Please, hydrate!
Kayla Williams: Absolutely. Thank you so much! Take care [laughing].
Dave Bittner: You too, good luck.
Dave Bittner: And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500, and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Irvin, and Senior Producer, Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliott Palsmith. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.