Ep 1905 | 9.13.23

How one access broker gets its initial access (it’s through novel phishing). Be alert for deepfakes, US authorities say. The Pentagon’s new cyber strategy. And a reminder: yesterday was Patch Tuesday.

Transcript

Dave Bittner: An access broker's phishing facilitates ransomware. 3AM is fallback malware. Cross-site-scripting vulnerabilities are reported in Apache services. US agencies warn organizations to be alert for deepfakes. The US Department of Defense publishes its 2023 Cyber Strategy. Ann Johnson from the Afternoon Cyber Tea podcast speaks with with Jenny Radcliffe about the rise in social engineering. Deepen Desai from Zscaler shares a technical analysis of Bandit Stealer. And a quick reminder: yesterday was Patch Tuesday.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, September 13th, 2023.

Access broker's phishing facilitates ransomware.

Dave Bittner: A Microsoft report outlines a criminal access broker that sends phishing lures through Microsoft Teams messages. The threat actor, which Microsoft tracks as “Storm-0324,” distributes a variety of malware strains, but primarily focuses on delivering JSSLoader before handing over access to the Sangria Tempest ransomware actor (also known as “FIN7”). Microsoft explains, “Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload.”

Dave Bittner: Storm-0324 is financially motivated, straightforwardly criminal, but its attack methods show considerable sophistication. Microsoft states, “The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.”

Dave Bittner: A quick note in full disclosure: Microsoft is a CyberWire partner.

3AM is fallback malware.

Dave Bittner: The Symantec Threat Hunter Team, part of Broadcom, describes a new ransomware family called “3AM.” So far, the ransomware “has only been used in a limited fashion,” and Symantec’s researchers have “seen it used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a target’s network and then switched to 3AM when LockBit was blocked.” In this attack, Symantec notes, “The use of 3AM was only partially successful. The attackers only managed to deploy it to three machines on the organization's network and it was blocked on two of those three computers.” The researchers add, however, that “the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future.” So even the hoods crooks need a fallback sometimes, it seems.

Cross-site-scripting vulnerabilities reported in Apache services.

Dave Bittner: Researchers at Orca discovered eight cross-site scripting (XSS) vulnerabilities affecting several Apache services on Azure HDInsight. The vulnerabilities “could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads.” Orca notes, “All XSS vulnerabilities posed significant security risks to data integrity and user privacy in the vulnerable Apache services, including session hijacking and delivering malicious payloads, putting any user of the Apache services at risk, including Apache Hadoop, Spark, and Oozie.” Microsoft issued patches for the flaws back on August 8th.

US agencies warn organizations to be alert for deepfakes.

Dave Bittner: NSA, CISA, and the FBI have issued a cybersecurity information sheet, Contextualizing Deepfake Threats to Organizations, intended to lay out the nature of the family of technologies loosely grouped as "deepfake" technologies. These include sophisticated video and imagery manipulation as well as text generated by artificial intelligence systems through large language models. The tone of the warning is prospective rather than immediate. The advisory says, "As with many technologies, synthetic media techniques can be used for both positive and malicious purposes," the advisory says. "While there are limited indications of significant use of synthetic media techniques by malicious state-sponsored actors, the increasing availability and efficiency of synthetic media techniques available to less capable malicious cyber actors indicate these types of techniques will likely increase in frequency and sophistication." Defensive measures remain works-in-progress, but the three agencies offer some suggestions for organizations beginning to prepare themselves for this particular form of disinformation.

Dave Bittner: Deceptive use of AI is also receiving some Congressional attention. Reuters reports that a measure to limit AI's exploitation in political campaigns has been introduced in the US Senate. The sponsors, Senators Klobuchar, Coons, Hawley, and Collins, said, "This bill would ... prohibit the distribution of materially deceptive AI-generated audio, images, or video relating to federal candidates in political ads or certain issue ads to influence a federal election or fundraise."

US Department of Defense publishes its 2023 Cyber Strategy, informed by lessons from Russia's war against Ukraine.

Dave Bittner: The US Department of Defense has sent its 2023 Cyber Strategy to Congress and made an unclassified version available to the public. "This strategy draws on lessons learned from years of conducting cyber operations and our close observation of how cyber has been used in the Russia-Ukraine war," Assistant Secretary of Defense for Space Policy John Plumb said. "It has driven home the need to work closely with our allies, partners, and industry to make sure we have the right cyber capabilities, cyber security, and cyber resilience to help deter conflict, and to fight and win if deterrence fails." The Strategy outlines what it calls "four complementary lines of effort:"

"Defend the Nation." This commits to defending forward, and "disrupting and degrading" the adversaries' capabilities and the "ecosystem" that supports them.
"Prepare to Fight and Win the Nation's Wars." This line of effort aims at national resilience, and at achieving the ability to operate in contested cyberspace.
"Protect the Cyber Domain with Allies and Partners." This line of effort is most clearly influenced by the lessons of the hybrid war against Ukraine.
"Build Enduring Advantages in Cyberspace." That is, the Department of Defense is in this for the long haul.

Dave Bittner: "In Russia's war on Ukraine," the Strategy says, “Russian military and intelligence units have employed a range of cyber capabilities to support kinetic operations and defend Russian actions through a global propaganda campaign. Russia has repeatedly used cyber means in its attempts to disrupt Ukrainian military logistics, sabotage civilian infrastructure, and erode political will."

Dave Bittner: To be sure, the Russian cyber campaign has fallen well short of expectations, but that's no accident, the Department of Defense says: the Russians faced effective, collaborative opposition. "While these efforts have yielded limited results, this is due largely to the resilience of Ukrainian networks and support from the international community.” And this hybrid war is unlikely to be the last one. As the Strategy notes, “In a moment of crisis, Russia is prepared to launch similar cyber attacks against the United States and our Allies and partners."

Dave Bittner: The strategy also notes that deterrence in cyberspace requires that cyber capabilities be integrated with other capabilities and operations, that cyber operations deter best when they're integrated as combat support, and when they're accompanied by other measures, presumably including non-military legal and economic action. "Experiences have shown that cyber capabilities held in reserve or employed in isolation render little deterrent effect on their own. Instead, these military capabilities are most effective when used in concert with other instruments of national power, creating a deterrent greater than the sum of its parts."

Dave Bittner: So cyber deterrence isn’t like nuclear deterrence, where simply having the capability serves to dissuade the adversary. Cyber deterrence works when it’s integrated with hard kinetic power, soft diplomatic power, and just-right legal and economic power. Just saying, trust me, pal, I got a zero-day with your name on it, buddy, doesn’t cut it, even when you’ve really got that zero-day.

Patch Tuesday.

Dave Bittner: And, finally, a reminder. Yesterday was September's Patch Tuesday. Microsoft addressed sixty-one numbered vulnerabilties, SAP issued eighteen patches, and Adobe fixed issues in Acrobat and Reader, Experience Manager, and Connect. Admins, users, sisters, cousins, and aunts…review your systems and, as CISA would say, “apply updates per vendor instructions.”

Dave Bittner: Coming up after the break, Ann Johnson from the Afternoon Cyber Tea podcast speaks with Jenny Radcliffe about the rise in social engineering. Deepen Desai from Zscaler shares a technical analysis of Bandit Stealer. Stay with us. [ Music ] Ann Johnson is the host of the Afternoon Cyber Tea podcast from Microsoft. And in this excerpt from a recent episode, she speaks with Jenny Radcliffe about the rise in social engineering.

Ann Johnson: Today I'm joined by Jenny Radcliffe, better known in some circles as The People Hacker. Jenny is an ethical social engineer, a people hacker hired to smash security measures using psychology, con-artistry, subliminal linguistics, cunning, and guile. Jenny has led simulated cybercriminal attacks on businesses of all types and sizes, running crews with varied expertise and experience to help secure client sites and information for malicious attacks. She is the go-to expert on the human element of security, scams, and social engineering, and is also host of the award winning podcast "The Human Factor". Welcome to "Afternoon Cyber Tea", Jenny.

Jenny Radcliff: Thank you for having me. It's a pleasure to be here.

Ann Johnson: So, can you start by talking, you know, a layperson's terms, right, someone who's not a security professional, the description of a social engineer, an ethical hacker, and tell us how you found your way into this interesting career to the ethical side of hacking and the ethical side of social engineering. Jenny Radcliff: Yeah. I mean, you know, people hacker is still a hacker, right? And I think people always think of hackers, we use that term interchangeably with criminal a lot of the time. And that's not always the case. As you say, you know, ethical hackers play a huge part in defense. And social engineering is really, it's another kind of misnomer for people, because what it does is it tests security systems without using technology, okay, or rather kind of aligned with technology. So I'm all about working on psychology of what people think and what we can get people to do, what we can persuade, manipulate people to do. And that always sounds very negative. But I always say to people, think of it kind of like a fire test, you know, like a fire drill, sort of a cross between that and a kind of really sort of scummy version of "Ocean's Eleven", where not everyone's quite that good looking. And so, yes, that's what we do. So, I'm hired by organizations and high net worth individuals to attempt to break their security through psychology, essentially, through conversation, through sort of human characteristics. Do you find that the strategies and tactics used in the physical world are the same as the cyber world? And do cybersocial engineers and criminals have a distinctly unique approach?

Jenny Radcliff: No, you know, not on my side of it. Like the tactics are the same. You know, it's still always kind of looking for that human connection, looking to sort of try and exploit what someone would forget. I mean, we look at the system holistically, okay? So it's not that you can actually, in many ways, separate the physical and the cyber when it comes to attack. I think that's something that the security industry do a lot. And from a criminal perspective, and, you know, again, I'm ethical, but I wear a criminal hat, we just look at the system holistically. So, for example, I've never been a technical hacker. I have lots of friends who are brilliant hackers, technically, and they've taught me one or two things. But I've never looked at it that way. However, of course, as soon as cyber comes online and systems are relying more and more on technology, we just incorporate that into the mix. It's the same. It's still just looking for a weakness.

Ann Johnson: We've talked a lot about individuals and things to look out for. But do you have any other tips before we move into our typical close? Anything else for people as an individual, not necessarily a company, that they should be looking out for?

Jenny Radcliff: Just out of context things, you know. I always say, emotion, urgency, call to action, money. But really, the thing is, if you're being asked to do something that's just not usual, especially if it's emotional, especially if it's about money, or getting around procedure, just be more suspicious. And, you know, this is a horrible thing because people say, "Oh, but it's awful that we have to be suspicious. You sound paranoid." But, you know, it kind of takes some of the enjoyment out of life. And the truth is, we need to be honest with people. Yes, it does. It does stop us all enjoying life. You know, if scammers and social engineers, malicious social engineers, and criminals were not present, the world would be a much happier, more harmonious place. But I'm sick and tired of this industry being so afraid of frightening people that we stop being direct. Treat them like grownups. And say, "If something feels off, check it before you click." And that does mean, unfortunately, that we've got to be more suspicious than we'd like. That is reality. That is the life. There's a lot of things there to help. There's technology and people trying to help you. But the bottom line is we do need to be more suspicious. [ Music ]

Dave Bittner: That's Ann Johnson from Microsoft speaking with Jenny Radcliffe. You can hear the entire Afternoon Cyber Tea podcast episode on our website, thecyberwire.com. [ Music ]

Dave Bittner: And joining me once again is Deepen Desai. He is the global CISO and head of security, research, and operations at Zscaler. Deepen, it's always great to welcome you back. You and your colleagues recently published some research here looking at Bandit Stealer. What can you share about this group here?

Deepen Desai: Yeah, thank you, Dave. So the Zscaler tech lab team, as part of our global threat landscape tracking activity, attracts several different malware families. And there is a specific focus on information stealing trojans. And we do keep an eye out for any new families, strings on the block as well. So Bandit Stealer actually is something that the team saw emerge in April of 2023. It's a new information stealer. It collects sensitive information from victim's machine upon successful attack. And the information includes things like cookies, saved login data, credit card information from several supported web browsers. We also saw it look for popular FTP clients and email clients installed on the endpoints. And of course, the goal over there is again to exfiltrate information that those applications have access to. Another functionality we saw over here was Bandit Stealer will also target crypto currency wallet applications. They're basically looking to steal those crypto currency wallets as well.

Dave Bittner: And how does one find themselves a target of Bandit?

Deepen Desai: This does show up in, you know, phishing attacks that you see commonly. In this case, they're not going after specific groups. That is not something that we saw in our analysis. This is where they will target users who will click on things, resulting in pirated software or resulting in those fake updates getting downloaded. Once a payload is the system, that's where the whole behavior starts, where they look for specific browsers. There's more than a dozen different crypto currency wallets that they will look after, FTP applications and the likes.

Dave Bittner: Now, you note in the research here that they're attempting to be fairly stealthy in terms of evading virtual environments and detection.

Deepen Desai: Yes. So they do have specific module where the goal over there is to flag security researchers doing analysis on virtual machines, or even automated sandbox base analysis where, you know, these payloads will get flagged. So they do have detections for those environments. They will also look at whether the parent process -- and I'm kind of going geeky over here right now -- but the process that actually invokes the malware payload is what it expects it to be. That it's not actually running under some sandboxing process. So, again, the goal over here is to stay undetected and make sure they're able to persist in the victim environment for as long as possible without being detected by any of the security applications. One additional thing I'll call out over here is -- and this is very, very old-school -- we actually saw it managing huge blacklists of IP addresses. And these were IP addresses belonging to antivirus companies, security sandboxes, and things of that nature. So you guys could look at it in the blog as well. We've actually called it out. There's IP addresses that are blacklisted. There are Mac addresses that are blacklisted. There are usernames that are blacklisted, which are commonly associated with this sandboxing environment. And they go down to the level of process names and PC names as well.

Dave Bittner: Interesting. Also, noteworthy that this is written in the Go program language. It seems like that's been a trend lately, yes?

Deepen Desai: Yeah, Go, and then we're also seeing Rust being heavily used by cyber criminals.

Dave Bittner: All right, well, Deepen Desai is the global CISO and head of security, research, and operations at Zscaler. The research we're discussing today is technical analysis of Bandit Stealer. Deepen, thank you so much for joining us. [ Music ]

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]