Phishing with Facebook Messenger bots. Redfly hits a national power grid. Nice platform you got there…shame if something happened to it. MGM Resorts grapples with a “cybersecurity issue.”
Dave Bittner: Phishing with Facebook Messenger accounts. Redfly cyberespionage targets a national grid. The exploit trade in the C2C underground market. Phishing attack exploits Baidu link. A repojacking vulnerability. A hacktivist auxiliary looks to its own interests. Ben Yelin marks the start of the Google antitrust trial. In our Industry Voices segment, Adam Bateman from Push Security explains how identities are the new perimeter. And MGM Resorts are dealing with a “cybersecurity issue.”
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, September 12th, 2023.
Iranian cyberespionage activity uses a new backdoor.
Dave Bittner: ESET reports that the APT they track as Ballistic Bobcat is currently active against targets in Brazil, Israel, and the United Arab Emirates. Ballistic Bobcat is known in other threat actor bestiaries APT35/APT42, Charming Kitten, TA453, or PHOSPHORUS. The group is using a novel backdoor, tracked as "Sponsor," which uses configuration files stored on disk. ESET writes,"These files are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines." Ballistic Bobcat carefully scans for known, unpatched vulnerabilities in target systems and exploits those for initial access. The APT's usual target list includes "education, government, and healthcare organizations, as well as human rights activists and journalists."
Phishing with Facebook Messenger accounts.
Dave Bittner: Guardio Labs is tracking a widespread phishing campaign that’s targeted millions of business accounts on Facebook Messenger, compromising about 1 in 70 of the targeted accounts. The campaign uses phony business inquiries to distribute “a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods.” The threat actor behind the campaign appears to be a cybercriminal group based in Vietnam. The researchers note, “The threat actors hold an army of bots and fake Facebook accounts as well as a listing of millions of business accounts, pages, and managers — sending away over +100k phishing messages a week to Facebook users around the world.”
Redfly cyberespionage targets a national grid.
Dave Bittner: Symantec warns that the Redfly threat actor “used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year.” The attack began in February, and the objective appears to be espionage.
Dave Bittner: Symantec notes, “The frequency at which [critical national infrastructure] organizations are being attacked appears to have increased over the past year and is now a source of concern. Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension. While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other regions means they are not outside the bounds of possibility.”
The exploit trade in the C2C underground market.
Dave Bittner: Flashpoint has published a report looking at the demand for vulnerability exploits in criminal markets. The prices of the exploits vary, with some being sold for tens of thousands of dollars. In one case, a Cloudflare web application firewall (WAF) bypass zero-day was combined with a new exploit for a patched Magento flaw and offered for $30,000.
Dave Bittner: In another instance, threat actors offered an exploit for a patched vulnerability affecting the Microsoft Windows Print Spooler service. The researchers note it has not been reported as being exploited in the wild, but Flashpoint analysts observed a threat actor selling an exploit targeting the CVE on February 16. The threat actor set the price of the exploit at $8,000 USD for the compiled binary, and USD $13,000 for the source code. Flashpoint observed on March 31 that a notable threat actor displayed interest in purchasing the exploit.
Phishing attack exploits Baidu link.
Dave Bittner: Vade describes a phishing campaign that abused Chinese search engine Baidu’s link redirect feature. The phishing links lead to a spoofed Microsoft 365 login page hosted by Cloudflare. Vade states, “As usual, the attackers protect their webpage by using cover and redirection mechanisms. Many email filters are likely to treat a Baidu domain as safe and pass the phishing email to the intended victim’s mailbox. Additionally, the use of multiple intermediary pages is designed to intercept and prevent the analysis from reaching the destination phishing page. Since these pages don’t contain fields or links, they encourage filters to view them as safe.”
A repojacking vulnerability.
Dave Bittner: Checkmarx discovered a vulnerability “that could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations” in order to conduct repojacking attacks. GitHub has since fixed the flaw.
Dave Bittner: Checkmarx states, “Successful exploitation enables the takeover of popular code packages in several package managers, including ‘Packagist,’ ‘Go,’ ‘Swift,’ and more. We have identified over 4,000 packages in those package managers using renamed usernames and are at risk of being vulnerable to this technique in case a new bypass is found. Of these packages at risk, hundreds of them have garnered over 1,000 stars on GitHub.”
A hacktivist auxiliary looks to its own interests.
Dave Bittner: Anonymous Sudan, which, despite the name, is Russian operated, retaliated against Telegraph for its suspension of the group's main account, SecurityWeek reports. SOCRadar describes the distributed denial-of-service (DDoS) attack, which they assess as having largely failed. Telegram hasn't said why it banned Anonymous Sudan, but it seems to have done so for the hacktivist auxiliary's organization and use of bot accounts.
MGM Resorts shuts down some of its systems because of a “cybersecurity issue.”
Dave Bittner: And, finally, if that one-armed bandit’s not working out for you, maybe it’s a cyberattack.
Dave Bittner: MGM Resorts is undergoing what it characterizes as a “cybersecurity issue.” The company has so far been tight-lipped about the nature of that issue."
Dave Bittner: BleepingComputer says the incident began Sunday evening, and that it affected ATMs and credit card readers at resorts as well as MGM Resorts main webpage. Some guests say that their room keys are no longer working, and local media in Las Vegas say there are reports of slot machines in the resorts being out of operation.
Dave Bittner: The outages are particularly pronounced in Las Vegas, but resorts elsewhere have been affected, too. TechCrunch reports that the websites for “several of MGM’s regional resorts, including MGM Springfield in Massachusetts, MGM National Harbor and the Empire City Casino in New York.”
Dave Bittner: MGM Resorts hasn’t said what kind of issue it’s grappling with, but the involvement of law enforcement and the fact that it appears to be something that’s disrupting availability suggests to many experts that it’s probably a ransomware attack. But that, we stress, is at this point speculation.
Dave Bittner: Anyway, if you’re booking a vacation, MGM Resorts says you can still do so by phone. We’re pretty sure you can see Cirque du Soleil at the Bellagio, but who knows? The site’s still down. Anyhoo, operators are standing by.
Dave Bittner: Coming up after the break, Ben Yelin marks the start of the Google antitrust trial. In our Industry Voices segment, Adam Bateman from Push Security explains how identities are the new perimeter. Stay with us. As a security professional, you may find yourself in the situation where employees sign up to new SaaS apps on their own, for convenience or expedience. This can result in countless identities being created across the Internet, which potentially are a new attack surface for attackers and a route to company data. So do you block employees from doing this, or create a pathway for your employees to walk safely? What about maintaining company productivity along the way? Adam Bateman is cofounder and CEO at Push Security. And in this sponsored Industry Voices segment, he makes the case that identities are the new perimeter.
Adam Bateman: There's a lot of talk and rage at the moment about identities being the new company attack surface. And I think a really good way to conceptualize this is, in the 2000's, our first attack surface was really open ports on IP addresses. And then it quickly morphed into being employees and their entry points. And now it's kind of identities on online applications or in the cloud. And so when we talk about identities, really, we're talking about user accounts. They're the new entry point. And the reason this is important is because, well, firstly, if an attacker aims their attacks at identities in the cloud, they don't hit the company network, right. Which is where a lot of the defenses and detection response is currently happening. It kind of goes past the network and directly into cloud infrastructure. And the second reason there's a lot of talk about it is because -- I'm from a red team background, and when I think back to those days, the nerve-wracking part when you're on the offensive side is getting that initial foothold into the network. And the reason for that is because you are doing something abnormal on the network or you're, you know, launching a new process or executing some kind of code or something that shouldn't happen. And those sorts of anomalies are possible to detect. The moment you compromise someone's identity -- like you get access to their account through key logging or the numerous ways that that's possible -- you're like a ghost on the wire. You know, it's very difficult to tell the difference at that point between the actual user logging into things and the attacker doing it. And so when it comes to identity security, that's the challenge that the industry is facing at the moment is, how do we actually discover these attacks when we're not really equipped and we're not in that position to do that at the moment?
Dave Bittner: And how are people coming at this? I mean, do you find that there is a good amount of misunderstanding out there?
Adam Bateman: Yeah. And I think the biggest misunderstanding that I'm seeing is that people are aware from what I'm seeing that identities are now a target and something people need to pay attention to. But I think the focus at the moment is on the core identities that people know about -- so maybe on your AWS or your Azure, your GCP, and those kinds of things. Now, they are really important, there's absolutely no doubt. But they also have the greatest level of security controls and maturity around them. They can be connected to SSO. There's lots of different security mechanisms built into those like, you know, multifactor by default, and everything else. And the bad thing that people aren't thinking about as much is there's now this huge proliferation of SaaSifications that are equipped for self-service. So we're not in a position anymore where we used to be where IT was centralized. So the IT and security team would be the ones to bring new products or new software into the company on an employee's request, and they would vet it for security controls and they would make sure it passes all the compliance checks, and then they would enroll the employee. Especially since the hybrid working and all these things, employees now directly sign up on their own and IT has become decentralized, right. So finance team will pick their own software, they'll test lots of different things, and they'll determine which one they want to use. And some of those get abandoned. Some of those get adopted. And IT and security often don't know about this. And so the issue is is that we end up with this identity sprawl. There's lots and lots of new user accounts being created that are potentially vulnerable and already broadens that attack surface way beyond just the core applications that people are aware they have in their infrastructure.
Dave Bittner: How do you fight that? I mean, how does an organization gain visibility there?
Adam Bateman: Well, I think the first thing to remember, a lot of people think, okay, but I've got everything behind SSO. But the thing to bear in mind though is that adding something to SSO is now the last step. And so it's not the first step, right. So you have to discover that someone has signed up and created a new identity to get that identity then enrolled in SSO. So that's a really important thing to think about. The second thing to think about is that it's surprising to people that not that many SaaS apps even support SSO in the first place. We took a sample of about 500 of the most commonly used ones we see across our customer base that are the highest impact. And we found about 31% have any support for SAML or AuthO, and within that 31%, you need to be on the enterprise for a lot of those. On top of that, I think people sometimes think about SSO as being a kind of shield in front of identities, and it's not really. It's a management layer. So I liken it to Active Directory. Active Directory is a great way of managing accounts that are scattered across a Windows estate, but you can still log in with your local admin password. And so it's still important to defend those as well. And the same is true for SaaS. Even though you have an SSO management layer, the active accounts on the individual SaaSifications, you can still log into them in a lot of cases. When you disable them in your IDP, they're not always removed underneath. So what I'm really saying here is that you need to think about identity sprawl in lots of different SaaSifications' own attack surface and actually discover when employee sign up and create new identities. So the way that we do that is by using a browser plug-in and being in the browser and then detecting sign-ups and logins.
Dave Bittner: What are your recommendations for folks who want to do a better job of getting on top of this? Where should they begin?
Adam Bateman: Our first thing is really just to have it part of your threat model. Because I don't think the industry is thinking about this as much. And we actually have tried to help with this. Given the fact we look into SaaS security and identity security, we obviously naturally do our own research to look into the different security weaknesses that could exist inside SaaS platforms. And then we use those to prioritize our project features to make sure that we are focusing on the right things. And we've recently actually started to do that work online. And so we created a SaaS attack matrix with 38 different SaaS native attacks. And we've published that on GitHub repo, with associated blog posts. And the idea of that research was to look through an offensive security practitioner's eyes and say, how do I comprise a company without touching the network? And is it possible to compromise a more trivial application and use that foothold to your advantage to expand your access? In the same ways it is possible on PRIM world. So that's now being available online, and the various techniques there are demonstrated. The first thing I'd say is it's a good resource. We don't consider it our resource, which is why we've open sourced it. We're looking for contributions and we're hoping that that is just one way of people looking at this. And if there's a breach or a compromise, actually looking at this and thinking, could it have originated from this SaaSification rather than another place on my network? The obvious other part is just to get visibility into what employees are logging into and get a good oversight of what identities are being created and whether or not they're vulnerable.
Dave Bittner: The folks that you're working with who are seeing success here, are there any common elements?
Adam Bateman: I think it comes down to visibility first. You can't defend what you can't see, that's the main thing. So I think it's get the flight recorder turned on, we always recommend that to people. Because I think the thing that's simple when it comes to SaaS and online identities is that there's no doubt that the systems and SaaSifications that get finally adopted and brought into production will end up with the most data in them. But even the applications that have just been used for testing and experimenting and then abandoned can contain API keys and access tokens into other systems. And those are the areas where there's potential long-term risk. Because if an employee abandons that SaaSification, you're probably not going to detect it, because the employee will never log back into that from your infrastructure. But an attacker who's performing credential stuffing could potentially pick up that account for as long as the SaaSification stays online. So I'd say, you know, if you were really going to simplify is, be aware of this space and that this is happening and consider it as part of the threat model and turn the flight recorder on so you actually can start to see what identities are being created from the beginning.
Dave Bittner: That's Adam Bateman, cofounder and CEO at Push Security. [ Music ] And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, and also my cohost over on the Caveat podcast. Hey, Ben.
Ben Yelin: Hey, Dave.
Dave Bittner: So today is a big day, especially for legal nerds like you [laughing]. I'm so mean. But today kicks off the Google antitrust trial here. The Department of Justice is coming after certainly one of the biggest tech companies in the world. What do we need to know going into this, Ben?
Ben Yelin: So this case was first filed in 2020 under Attorney General William Barr in the Trump Administration. It is the US et al v Google. And it focuses mostly on Google as a search engine. The allegation here is that Google used the tool's market share -- which is estimated about 90% -- to throttle competition in both searching and advertising. So the idea is that Google rigged the system. They, using their market power, bullied Apple with their iPhones and other companies that produce different devices to have Google be the default search engine. This is the first major antitrust case we've seen against a big tech company since Microsoft in the early 2000s. It's very difficult to go after a big tech company for a number of reasons. One is practical. There is the thought out there that any major challenge under the Antitrust Act against one of these companies is going to stifle innovation. What Google would say is, we earned this market share, we earned this market power, by having the most effective search engine. People use Google not because we engage in monopolistic practices but because Google is the best search engine. We just beat out the competition.
Dave Bittner: Okay.
Ben Yelin: One of their pieces of evidence -- which I found kind of humorous -- is that you know what the most common search term is on Bing?
Dave Bittner: Is it Google?
Ben Yelin: Yes, it is.
Dave Bittner: [Laughing] Okay. Of course it is.
Ben Yelin: Google has become a verb.
Dave Bittner: Oh, I see.
Ben Yelin: To Google something.
Dave Bittner: Yeah.
Ben Yelin: And I think what Google would say in their defense of this antitrust case is this is not about anti-competitive practices, this is about us earning a significant market share. But the Sherman Antitrust Act was designed for these types of incidents where some entity has undue bargaining power, the ability to throttle competition, because they have such a large market share.
Dave Bittner: Right.
Ben Yelin: So I can honestly see both sides of this dispute. I'm really interested in what's going to happen in court here, how each side is going to argue their position. So it's definitely something I'm going to be watching very closely.
Dave Bittner: It's interesting, you sort of alluded to it, how Google pays companies like Apple to be the default search engine on the iPhone. I would imagine Microsoft -- who has the Bing search engine -- you know, they could afford to throw money at this, and they could probably outbid Google. But a smaller entity like DuckDuckGo.
Ben Yelin: Right. That's one of the things that's been mentioned in a lot of articles about this.
Dave Bittner: That would be out of their reach, right?
Ben Yelin: Right, right. So there are a couple of ways that this could be resolved. One of which would be some type of settlement where Google doesn't lose. The full power of our antitrust enforcement doesn't fall on them. But there's some type of judicial ruling forcing them to -- some type of fair competition to be the default search engine here, where they can't just throttle their competition and buy them out. That was kind of a mechanism that we saw as a part of the resolution to the Microsoft cases, where there were competitive bidding processes and users were required to have the chance to opt into Microsoft as the default system. I think we could see something similar with Google here, where when you get a new iPhone, maybe several companies can vie to be the default search engine when you open up that iPhone, so it's not just automatically Google.
Dave Bittner: You choose.
Ben Yelin: Yeah, that could be part of some type of resolution here. But again, that's very long-term. I think the bigger picture right now is, first of all, can our Justice Department still prosecute these big antitrust cases against the biggest behemoth really not only in the tech industry but in any industry? And then what does this say about the future of technological innovation? Are the companies that are at the forefront of AI, the companies that think that they're going to acquire that market share, should they be concerned down the line about antitrust action? And is that going to inhibit their current activity in developing that technology? So I think those are issues that are very alive in this debate.
Dave Bittner: Is there any discussion here of breaking up some of Google's various parts -- detaching the advertising arm from the search engine arm? Or is this not part of that?
Ben Yelin: I think it's mostly focused on their search business. But if you get sort of a broader ruling, it might apply to other sectors such as artificial intelligence.
Dave Bittner: Okay.
Ben Yelin: So right now, it's a relatively narrow case about its dominance in the search engine market. But if you get a ruling that exceeds or that goes beyond a simple discussion of search engines that affects other areas where Google has a market advantage, then that can affect its other products as well.
Dave Bittner: I see an article from NPR outlining how this is supposed to play out here, and they made the point that it's a judge who will be hearing the case, that they expect it to run for three months, no jury. Can you explain some of that, sort of the practical machinations of how something like this works? Three months doesn't seem like a lot of time to me.
Ben Yelin: It's not a lot of time for a topic that's this complicated. I think we're going to have the best lawyers on behalf of our Justice Department, joined by representatives of attorneys general offices across the United States who have joined this lawsuit. And then Google is going to put up its best effort as well. Like you said, there is going to be no jury. This is going to be argued in front of a judge. So I don't know what type of impact that's going to have. Obviously, if you're trying to argue something in front of a jury, you have to be worried about your target audience and how much they know about the tech industry generally and whether they can grasp the nuances of antitrust law. When we're talking about a judge, you don't have to be concerned about framing your oral arguments in those types of layman's terms; you can really argue on the nuance here. And I think there's proper precedent on behalf of the government, and in the past, they've used the Antitrust Act as a tool to put the hammer down against these types of companies. It happened in the late 1960s with IBM. It happened in the early 2000's with Microsoft. There was an antitrust scholar who was quoted in this Washington Post article I'm reading that called this the "policeman at the elbow effect." That I think the Justice Department takes a generally hands off approach to antitrust enforcement in the tech in the industry. But when it gets out of hand, you know that the policeman at the elbow is going to be there. Which means there's some type of disincentive for these companies to go too far. I think when you're Google, you're less concerned about the policeman at the elbow than you are about just kind of asking for forgiveness and not for permission.
Dave Bittner: Yeah.
Ben Yelin: I want to get my 90% market share, let the legal chips fall where they may.
Dave Bittner: All right.
Ben Yelin: But it should certainly be very fascinating.
Dave Bittner: Yeah. It's a historic day.
Ben Yelin: It really is, it really is. We'll be following this very closely.
Dave Bittner: All right, Ben Yelin, thanks for joining us. [ Music ] And that's the CyberWire. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.