In today’s symposium, we talk about a new strand of Chae$ malware, some developments in social engineering, privateers in a hybrid war, cyber ops as combat support, and some default passwords.
Dave Bittner: A New variant of Chae$ malware is described. A "Smishing Triad" impersonates postal services. A MinIO storage exploit reported. Okta warns of attackers seeking senior admin privileges. LockBit compromises a UK security contractor. DDoS takes down a German financial regulator's site. Infamous Chisel as GRU combat support. Joe Carrigan on Meta uncovering a Chinese influence effort. Our guest is Connie Stack, CEO of Next DLP, discussing data breach notification procedure. And please -PLEASE- remember to change your default passwords.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, September 5th, 2023.
New variant of Chae$ malware described.
Dave Bittner: Morphisec this morning published a description of a new variant of the Chae$ [chase] malware, "Chae$ 4," which is being used against the financial services and software supply chain sectors. Among the affected targets are Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and MetaMask, as well as content management systems including WordPress, Joomla, Drupal, and Magento. The identity of the threat actor behind the malware is murky, but he, she, or they (it's unclear whether it's an individual or a gang) has have come to be known as "Lucifer."
Dave Bittner: The original Chae$ version was first described in November of 2020 by Cybereason, which found it active against e-commerce customers in Latin America, especially Brazil. The current variant, like its predecessors, is a criminal tool used to steal information, especially credentials, that can be subsequently exploited for online theft. Chae$ 4 has been completely rewritten in Python and is more difficult to detect than earlier variants. It also features a modular design that lends it greater adaptability. Infection begins when the victim is induced to execute a malicious installer that usually masquerades as a JAVA JDE installer or Anti-Virus software installer. The operators of Chae$ 4 show a particular interest in cryptocurrencies.
"Smishing Triad" impersonates postal services.
Dave Bittner: Resecurity has warned that a China-based cybercriminal group is running a smishing campaign targeting US citizens by impersonating postal services. The threat actors “are operating a package-tracking text scam sent via iMessage to collect personally identifying information (PII) and payment credentials from victims, in the furtherance of identity theft and credit card fraud.”
Dave Bittner: The smishing messages direct victims to a convincing clone of the US Postal Service’s website, telling them they need to enter their credit card information in order to pay a small shipping fee (as low as thirty cents).
Dave Bittner: The threat actor has targeted users in numerous countries in the past by impersonating the UK’s Royal Mail, the New Zealand Postal Service, Spain’s Correos, PostNord, Poste Italiane, the Italian Revenue Service, and others.
MinIO storage exploit reported.
Dave Bittner: Researchers at Security Joes have found that a threat actor was exploiting two vulnerabilities in the distributed object storage system MinIO to steal data and execute arbitrary code. The vulnerabilities had been fixed, but the attackers used social engineering to trick a MinIO developer into reverting the service to an earlier, vulnerable version. They then used the flaws to gain access to the MinIO administrative console, which allowed them to push a malicious update containing exploit code. The researchers explain, “[T]he executed commands inherit the system permissions of the user who initiated the application. In this instance, due to inadequate security practices, the DevOps engineer launching the application held root-level permissions.”
Okta cyber incident: attackers seek senior admin privileges.
Dave Bittner: Okta has warned of an ongoing social engineering campaign that’s targeting IT employees to gain access to Super Administrator permissions. This access enables the attackers “to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization”: “In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.”
LockBit compromises UK security contractor.
Dave Bittner: The privateering LockBit ransomware gang has released documents taken in a cyberattack against Zaun, a contractor to the UK's Ministry of Defence that specializes in perimeter physical security–fences, alarms, and allied systems, but at a higher technological level than that bare partial list might suggest.
Dave Bittner: According to Computing, the attack took place over the 4th and 5th of August "via a rogue Windows 7 PC running software for a manufacturing machine." Zaun says it was able to limit the effects of the attack, preventing, for example, the encryption of its servers, but some data were lost. The Daily Mirror reports that Zaun serves, among other sites, HMNB Clyde Trident submarine base, the Porton Down chemical weapons research laboratory, one GCHQ facility, various prisons, and a military cybersecurity installation. LockBit has now dumped stolen data on a dark web site.
Dave Bittner: On September 1st Zaun disclosed, "LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised. We are in contact with relevant agencies and will keep these updated as more information becomes available. This is an ongoing investigation and as such subject to further updates."
Distributed denial-of-service attack takes down German financial regulator's site.
Dave Bittner: On Friday a distributed denial-of-service (DDoS) incident rendered the site of BaFin [bah-fin], Germany's Federal Financial Supervisory Authority, inaccessible. The authority tweeted that the public website was the only aspect of its operation affected, and that the regulator's other activities continued uninterrupted. Access to the website seems this morning to have been restored, Security Affairs reports. The attack hasn't so far been attributed to any threat actor, but BleepingComputer cites reasonable and informed speculation that points toward a Russian hacktivist auxiliary whose objective was to punish Germany for its support of Ukraine.
"Infamous Chisel" malware as GRU combat support.
Dave Bittner: The UK's Ministry of Defence (MoD) on Monday reviewed the recently exposed Infamous Chisel campaign against Ukrainian military targets. The MoD sees the deployment of the Android malware as a significant instance of cyber operations used as combat support.
Dave Bittner: It’s also worth repeating that Infamous Chisel is Android malware, and its development and deployment shows the increasing convergence of commercial communications tools with military systems. The personal may not always be the political, as the old Marxist saw had it, but nowadays the personal seems to have become the tactical, at least where communications and intelligence collection are concerned.
Risk of weak default passwords.
Dave Bittner: Finally, have you changed all your default passwords to something better? You really should, you know, and some recent issues among users of LogicMonitor serve as a salutary reminder.
Dave Bittner: Cloud infrastructure monitoring company LogicMonitor has disclosed that several of its customers were hit by cyberattacks. TechCrunch cites an anonymous source as saying the attacks were caused by weak default passwords LogicMonitor assigned to its customers. The source stated, “When you set up an account with [LogicMonitor], they define a default password and all user accounts for your organization/account are made with that password. They also didn’t require the changes, nor were they temporary passwords, until this week. Now the setup password lasts 30 days and must be changed on first login.”
Dave Bittner: LogicMonitor hasn’t disclosed the nature of the attacks, but anonymous sources close to the incidents told BleepingComputer that the attackers “were able to create local accounts and deploy ransomware.”
Dave Bittner: In fairness to LogicMonitor, all default passwords represent an inherent if perhaps inevitable weakness. So do change them, and if you’re a vendor, be sure to nudge your users in that direction. Users, right? What are you gonna do? As Alcibiades said of Socrates, “can’t live with ‘em, can’t live without ‘em.” What, you don’t believe us? No, really: it’s in Plato’s Symposium. You can look it up. Bonus fun fact, for any of you out there who are starting or returning to studies at your university: “symposium” is Attic Greek for “kegger.” No really–ask the faculty what they’re bringing. Seriously. Class dismissed.
Dave Bittner: Coming up after the break, Joe Carrigan explains how Meta uncovered a Chinese influence effort. Our guest is Connie Stack, CEO of Next DLP, discussing data breach notification procedures. Stay with us. [ Music ] Where does your organization stand when it comes to data breach notification procedures? Do you have a run book, a framework, outside counsel on retainer, perhaps a PR company on speed dial? Connie Stack is CEO of data protection firm Next DLP, and I spoke with her about navigating the complexities of data breach notification requirements.
Connie Stack: And a lot of people, frankly, they're not necessarily 100% certain when notification is required, because, you know, there are specific regulations within states, there are specific regulations within particular industries. But essentially, when and if you experience a data breach -- and many companies have -- in many instances, there is a requirement to notify those that will be impacted by that breach. And even the definition of impacted is, you know, different state by state and regulation by regulation. But essentially, I think a good rule of thumb is that if sensitive information is lost -- information like PII (personally identifiable information), information governed by HIPPA (or the Health Information Portability and Protection Act) -- those are the kind of data that, if you have a breach at your organization and you believe sensitive information in either one of those categories or potentially even intellectual property is lost, there should be notification required in those instances. So good rule of thumb. You lose PII, you lose PHI, you lose PCI (credit information), you can assume notification is required. And an organization who is, you know, developing breach response policies should clearly understand what requirements there are for notification in the states and in the vertical categories in which they exist.
Dave Bittner: You know, it strikes me that, of course, this is one of those things that you want to do all of your planning ahead of time, not when you're in the heat of the moment having experienced a data breach. Do you have any words of wisdom here for people's order of operations? You know, having a run book? Rehearsing your actions? You know, those sorts of things? Tabletop exercises? So do all of those sorts of things come into play here?
Connie Stack: Absolutely, Dave. I love -- actually, NIST has published a series of standards, best practices, and recommendations. And I don't think they referred to them as the 3P's of a breach response, but I do. And the 3P's that they recommend are policy, plan, and procedure. So when it comes to policy, I mean, that is stage one. As you said, before a breach event even occurs, you should have a policy in place that governs how your organization will, you know, respond to s potential, you know, data breach or loss of sensitive information. And that policy should clearly define, you know, the scope -- you know, who is it going to apply to, under what circumstances would this policy be enacted, and so on. But essentially, the first P of breach response is policy, and you should have one. The second one, which really falls out of that policy, is your plan for a breach response, right. I mean, this is your high-level strategy for implementing, you know, that data breach policy. So the plan really should identify all the organization resources that you're going to tap into, any required management support. If you require any, you know, tailored kinds of communications, you might want to enlist the help of a PR firm and make that a part of your plan, and so on. And then out of that plan is a set of procedures that you should be able to follow, you know, and should be, again, well-defined. You should have, you know, the ability to follow those clearly, because, again, you have predefined those as a part of your overall data breach, you know, policy. And typically when it comes to these procedures, you know, the first thing any organization who suspects a data breach or has confirmed a data breach, they absolutely want to contain the impact of that breach, right. They've got to work hard -- if they were breached because of a, you know, a vulnerability in software that they use, then you've got to patch that vulnerability, right. You need to make sure you're containing the impact of, you know, the attack or the breach that you suffered. And then you really need to assess and quantify, right, what was the extent of this breach, right. Because those -- the extent of the breach will determine whether or not indeed it is disclosable and whether you need to notify those people who may have been impacted. And those people could be, you know, like I said, your customers in some cases, your employees in other cases, and so on. So that assessment is a really important part of your procedure as well. And then the notification comes in, and here's where, you know, you want to be crystal clear with your notification procedures. You want to understand who has to be notified, within what deadlines and timelines they need to be notified, what methodologies or approaches you can take to notify them. And they can range from, you know, email to social media posts to special pages on your website, and so on and so forth. And then ultimately, you know, review and refine. You want to make sure that the response to your breach was sufficient, that you minimized the damage to your business, and that you've put corrective measures in place and put improvements in place to your breach policy and notification policies that it may have, you know, acted against in this particular breach. If they need refinement moving forward, that should be a part of it as well. Once a notification happens, I think that, like I said, review, refine is a critical step that often gets -- you know, I think everyone just takes a deep breath and go, you know, whoa, we survived. But you really should make it a constant, you know, improvement cycle, you know, where possible. Because you will learn things with every potential breach and containment exercise and notification exercise that you would then apply, you know, should you suffer a breach again in the future. We don't want that to happen, of course, but sometimes, you know, it does, frankly. You know, practitioners of security know it's very difficult to plug all the holes and the bad guys just need to find that one, right. So it can happen more than once, and you want to be prepared and handle, you know, the breach as professionally and efficiently and effectively as possible to minimize the damage to your business, your customers. That's really a top priority.
Dave Bittner: Who within an organization should have ownership of this?
Connie Stack: You know, it should be security should be your quarterback. I think it is atypical for an organization to have somebody, you know, outside of security quarterbacking these kinds of efforts. But it does not mean, you know, you don't enlist the support of others outside of the security team. Because you may need people from within, you know, the business organization or line of business, to help you truly understand the sensitivity levels around data that might've been lost or exposed in any kind of, you know, breach. So you're going to put together, you know, a cross-functional team that says cybersecurity or, you know, experts in your security team, CISOs often quarterback these, like I said, these response efforts. But again, there is, even within your organization, you know, notifications are required to senior management, potentially to boards. If you're a publicly traded company, board notification is going to be important as well. So it usually is security that quarterbacks, but again, many members of your team across functional areas of the business should be supporting breach response and notification effort as well.
Dave Bittner: That's Connie Stack. She's CEO at data protection firm Next DLP. [ Music ] Joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute and also my cohost over on the Hacking Humans podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting article. This is written by Sarah E Needleman for the Wall Street Journal, and it's titled "Meta uncovers largest ever Chinese influence network." What's going on here, Joe?
Joe Carrigan: Well, Meta has come out and said that they found 7,700 accounts. They've taken down a bunch of accounts across more than 50 apps, including 7,700 apps or accounts on its own Facebook and Instagram. They also found accounts on YouTube, TikTok, Reddit, Pinterest, X (formerly Twitter), and other smaller platforms as well. The operation -- here we go, Dave -- the operation is known in the security community as "spamouflage."
Dave Bittner: Nice.
Joe Carrigan: And it dates back to 2019. And it's linked with people in the Chinese government or Chinese law enforcement.
Dave Bittner: Okay.
Joe Carrigan: Now, China denies their involvement here.
Dave Bittner: Right.
Joe Carrigan: But that's standard for a lot of governments. You know, I'm sure that if China accused us of -- the American government -- of doing something, we'd say, no, no, no, that's not us.
Dave Bittner: Sure.
Joe Carrigan: But this is tradecraft, really, as far as I'm concerned. But this is the largest takedown that Meta has ever orchestrated, 7,700 accounts on their systems.
Dave Bittner: It's interesting that, first of all, 7,700 doesn't sound like a huge number to me relative to the size of Meta's platforms.
Joe Carrigan: Right.
Dave Bittner: And also, you know, think of just populations of both the US and China, 7,700, big but not huge.
Joe Carrigan: Right.
Dave Bittner: It's interesting to me, too, that Meta says that their view of this is that these really didn't get a whole lot of traction.
Joe Carrigan: They didn't get a whole lot of traction. And maybe it's because of the small size of the network. But I don't think that's really why. I think it's probably because they were doing this -- yeah, it was caught by Ben Nimmo, a global threat intelligence lead at Meta, said, they're throwing spaghetti at the wall to see what sticks. So they're just going with quantity over quality. So that's why it's probably not the most effective. There was a bunch of criticism in the social network sites about election interference and allowing election interference in the 2016 election.
Dave Bittner: Right.
Joe Carrigan: And, of course, you know, everybody thinks they cleaned up their act, right. But I don't think that's what's going on. This is why I say, don't get your news from social media, right.
Dave Bittner: [Laughing] Right.
Joe Carrigan: Just don't do it. Don't look at that. Don't let something on social media you see irritate you; it's probably not true. You owe it to yourself to take the time to find out through sources that you've vetted to go and look at whatever it is that's being said to see if it's true. Now, these were all pro-Chinese messages and messages meant to disparage the US, right, in this campaign. There is also mention of a Russian campaign, which was a social media campaign meant to decrease the population's desire for support for Ukraine. So this is how -- again, I say, this is tradecraft for these folks. This is what they're doing to try and change how people think about this. So maybe they reprioritize when it comes time for them to vote in their elections.
Dave Bittner: I suppose in a country as divided as ours is right now, if you're able to move that needle even just a little bit, that could make a difference.
Joe Carrigan: Yeah, yeah, that's right. And sadly, I'll say this about people in America, it's like shooting fish in a barrel on social media. You know, these social media apps are designed to keep you engaged, right.
Dave Bittner: Right.
Joe Carrigan: They're designed to keep your eyes on the page, that's what they are intended to do. And the algorithm behind the app and, you know, what gets put on your page does not care if you're a Democrat or Republican, Libertarian, Green Party member. It knows that you are. It also knows how you feel about the message. Do you want to see something that -- are you the kind of person that likes to see stuff you agree with? Are you the kind of person that likes to see stuff you disagree with? Are you the kind of person that engages angrily with other people? It doesn't make any distinction about your feelings on the subject. All it cares about, the only metric it's using, is how much time you spend on the platform.
Dave Bittner: Yeah.
Joe Carrigan: So that's why people are remarkably susceptible to these things, not particularly to this campaign. Because this campaign wasn't that well run. But a better run campaign can be much more effective.
Dave Bittner: Yeah. Well, and certainly as we're in the run-up to the next round of national elections here, this kind of thing.
Joe Carrigan: This is going to be a fun cycle, Dave.
Dave Bittner: We're going to see a lot more of this, yeah.
Joe Carrigan: Yeah.
Dave Bittner: All right, again, article from the Wall Street Journal written by Sarah Needleman. Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment with Jason and Brian on their show for a lively discussion of the latest news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.