Cybercriminals at the service of the state, and an array of new underworld tools.
Dave Bittner: Data brokers offer information on active US military personnel. Current BlueNoroff activity. A new Gootloader variant is active in the wild. Atlassian vulnerabilities actively exploited. The prevalence of breaches. Update on a Barracuda vulnerability. Hacktivism and the cyber course of the Hamas-Israel war. Bot-hunting in Ukraine. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Sharon Barber, Chief Information Officer at Lloyds Banking Group, about cyber trends in financial services. And election security is in the news–an off-year election is an election nonetheless.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, November 7th, 2023.
Data brokers offer information on active US military personnel.
Dave Bittner: Sensitive personal information belonging to thousands of active-duty US military personnel can be purchased for as little as twelve cents per record from online data brokers, researchers at Duke University have found. The information includes health data, financial data, location data, information about religious practices, and more. (And yes, religious practices are indeed the sort of data that are recorded–your religious affiliation, if any, is right there on your dog tags if you’re in a US Service.)
Dave Bittner: The researchers note that the availability of such data poses national security risks, even though the data brokerage industry remains largely unregulated in the US. Information about servicemembers can be useful to hostile intelligence services interested in building dossiers on potential targets for compromise, recruitment, or harassment. The researchers said, “In short, an industry that builds and sells detailed profiles on Americans could be exploited by hostile actors to target military servicemembers and veterans, as a subset of the U.S. population. Many veterans often still know currently classified information, even if they are no longer active-duty members of the military.”
Dave Bittner: Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy, told CNN, “It was way too easy to obtain this data: a simple domain, 12 cents a service member, and no background checks on our purchases. If our research team, subject to university research ethics and privacy processes, could do this in an academic study, a foreign adversary could get data in a heartbeat to profile, blackmail, or target military personnel.” So if they could get it from Duke, it’s a lead-pipe cinch the girls and boys over in the Moscow Aquarium (say) could do the same.
Dave Bittner: We’ll have comments from my caveat cohost Ben Yelin on this story later in the show.
Current BlueNoroff activity.
Dave Bittner: Jamf has published a report on a new macOS malware strain attributed to North Korea’s BlueNoroff threat actor. BlueNoroff is a suspected state-sponsored actor that focuses on cryptocurrency theft.
Dave Bittner: Jamf explains, “The activity seen here greatly aligns with the activity we’ve seen from BlueNoroff in what Jamf Threat Labs tracks as the Rustbucket campaign where the actor reaches out to a target claiming to be interested in partnering with or offering them something beneficial under the disguise of an investor or head hunter. BlueNoroff often creates a domain that looks like it belongs to a legitimate crypto company in order to blend in with network activity.”
Dave Bittner: North Korea has long used cybercrime as a means of redressing economic shortfalls caused by international sanctions and the pariah state’s own failed policies. If commerce isn’t working for you, try theft. It is the juche [JOO-chay] way. Just ask Mr. Kim.
A new Gootloader variant is active in the wild.
Dave Bittner: SEO poisoning, in which victims' search histories are used against them, seems to be the initial point of entry for a new Gootloader variant IBM's X-Force has discovered. The researchers call the malicious implant “GootBot,” and say it "facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments." They describe GootBot as "a lightweight obfuscated PS script, containing only a single C2 server." It's an alternative to other, more familiar post-exploitation tools like CobaltStrike. GootBot implants, once in, spread across an infected enterprise domain looking for domain controllers. "At the time of writing," X-Force says, "GootBot implants maintain zero AV detections on VirusTotal, enabling [the malware] to spread stealthily."
Atlassian vulnerabilities actively exploited.
Dave Bittner: Rapid7 is tracking ongoing exploitation of a recently disclosed improper authorization vulnerability (CVE-2023-22518) affecting Confluence Data Center and Confluence Server. The security firm says the vulnerability has been exploited in “multiple customer environments, including for ransomware deployment.” Rapid7 notes, “The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers.” Atlassian issued patches for the flaw last week, urging customers to apply the fixes immediately.
Dave Bittner: Rapid7 has also observed exploitation of CVE-2023-22515, “a critical broken access control vulnerability in Confluence that came to light on October 4.”
The prevalence of breaches.
Dave Bittner: Armis has published a survey conducted by Vanson Bourne looking at cyber trends over the past year, finding, “61% of global organizations confirmed they had been breached at least once over the last 12 months, with 31% experiencing multiple breaches during the same period.” The top countries with organizations most likely to report breaches were the United States, Singapore, Australia, and New Zealand.
Dave Bittner: The researchers note, “On an average business day, 55,686 physical and virtual assets are connected to organizational networks. Global respondents shared that only 60% of these assets are monitored, leaving 40% unmonitored.”
Update on a Barracuda vulnerability.
Dave Bittner: Researchers at Vectra AI have found a way to bypass a rule designed to detect exploitation of a vulnerability (CVE-2023-2868) that affects Barracuda’s Email Security Gateways. The rule, which was developed by Proofpoint’s Emerging Threats team, “failed to alert on a specific proof-of-concept exploit, despite successful delivery of the exploit payload.” Proofpoint has since released a new rule that addresses Vectra AI’s findings.
Hacktivism and the cyber course of the Hamas-Israel war.
Dave Bittner: The cyberattacks Israel has sustained during the present war with Hamas have for the most part not risen above nuisance-level hacktivism. A typical example is the defacement of the Maccabi Tel Aviv basketball team's website with the message "Allah's victory is near."
Dave Bittner: Such hacktivism is likely to persist beyond whatever end the physical fighting reaches. SC Magazine inventories the kinds of war-driven threats businesses in particular should be alert for. Recast slightly, it's a familiar-looking list:
Distributed denial-of-service (DDoS) attacks.
Disinformation and other influence operations.
Data theft and doxing.
Dave Bittner: The most consequential cyberattacks of the war so far have emanated from Iran, and the head of Israel's National Cyber Directorate, Gaby Portnoy, sees the prospect of an intensified Iranian campaign as his biggest worry. “They [Iran] know that they can act there more freely [in cyberspace] than in the physical space,” Portnoy told CNN. “We are prepared for that as much as we can.”
Bot-hunting in Ukraine.
Dave Bittner: Interfax Ukraine reports the SBU's tally of bot-takedowns. Since the beginning of the current war in February of 2022, the Ukrainian security service says it's taken down seventy-six bot farms operating on Ukrainian territory and pushing pro-Russian narratives. "This is no longer just about professional intelligence services. We have information that a number of educational institutions are already teaching the subjects of 'cyberattacks on civilian infrastructure,'" SBU Cybersecurity Department head Illia Vitiuk said. "They want to increase the scale of attacks and the number of people who can do this professionally. By the way, they teach how [to] attack not only Ukrainian systems, but also partner countries." In other words, the Russians are looking at you, too, Collective West.
Dave Bittner: The SBU thinks that students and criminals are prime recruits into the Russian cyber services and their auxiliaries. They’ve got the skills, and they’re appropriately biddable.
Dave Bittner: And, finally, today is Election Day in the US. You might have missed it if you’re not living in the US, or even if you are in the US but were doing something more to the American taste, like watching football or playing Animal Crossing. It's an off-year election, and so attracts less attention than presidential or midterm voting, but cybersecurity experts are nonetheless watching the conduct of voting. The US Cybersecurity and Infrastructure Security Agency (CISA) is running an Election Operations Center to help secure the vote. The agency said,"This Elections Operations Center brings together federal partners, state and local election officials, and private sector election partners to share real-time threat information. CISA stands ready to provide technical security support to the election infrastructure community." We look forward to seeing any lessons learned.
Dave Bittner: In the meantime, access management platform provider Cerby has released a study of social media and election security that assesses various platforms for their vulnerability to account takeover and the spread of disinformation. Compared to last year, platforms increased their use of multifactor authentication, but enterprise-grade authentication and authorization, the study concluded, continue to lag.
Dave Bittner: So, as CISA would say, “shields up.”
Dave Bittner: Coming up after the break, Ben Yelin looks at data brokers offering information on active U.S. military personnel. Microsoft's Ann Johnson from the Afternoon Cyber Tea podcast speaks with Sharon Barber, Chief Information Officer at Lloyds Banking Group, about cyber trends in financial services. Stay with us. [ Music ] Microsoft's Ann Johnson is host of the Afternoon Cyber Tea podcast right here on the CyberWire Podcast Network. In our most recent episode, she speaks with Sharon Barber, Chief Information Officer at Lloyds Banking Group, about cyber trends in financial services. Here's part of their conversation.
Ann Johnson: Today I'm joined by Sharon Barber, Chief Information Officer at Lloyds Banking Group. Sharon is responsible for group-wide IT service, cloud, and traditional technology infrastructure, security and technology resilience at Lloyds, and prior to this, as Chief Resilience and Security Officer, Sharon headed up teams responsible for cyber, physical, and information security activities along with sourcing, supply chain management, and divestments. As part of this role, Sharon led Lloyds' operational resilience strategy and implementation and the group's response to regulatory policy requirements. Sharon also led the group's incident response to the COVID-19 crisis. Sharon is Co-Chair of the U.K. National Cyber Advisory Board. That's a lot, Sharon. Do you expect to see more of that in the future, and do you think that more CISOs have ambitions to rise to the CIO role?
Sharon Barber: I actually think so. Maybe they don't realize they have the ambition to do that. I think we should definitely talk about it more, and it does depend on your background and experience. So I think if the CISO is technical, which more and more is the case these days, and as either want to experience or work closely with the IT teams, and I think it's a great career path and opportunity, and people should start to consider it. And then if you think in, you know, many areas, you know, technology and security are very closely linked. Everything is digital and online, and so it is very similar, and the non-technical skills are very transferable, especially those leadership skills you need in security and managing stakeholders at executive and board levels, and then also building high-performing teams. So, you know, so I definitely think it is a good transition, though I would say it's a different hat that you wear, no surprise. You go from setting the security standards, running the operations, and setting expectations, and security being top priority, to having to trade off the risks across the ecosystem, and it doesn't mean security isn't the top priority. It just means you have to think about it end-to-end on the risk side. But what I would say that has been great is that as a CIO with a security background, you know, it gives you the experience and the mandate to drive security ownership right through the organization and ensure that security is considered at the outset rather than it's somebody else's job to consider.
Ann Johnson: One of the reasons that I love cyber, and I've been doing it forever, it's a rapidly evolving industry. That rapid evolution, though, also requires constant innovation. Can you talk about your perspective on innovation in cyber?
Sharon Barber: Absolutely, I'm a firm believer that innovation is not just a nice-to-have, and it's critical for all of us to keep pace with a threat and stay ahead, and that's just -- that's not just in cyber. That's in all of our businesses. You know, then, you know, what we need to do is individual firms, and as industries, you know, we need to be thirsty for new and innovative ideas. There are some great startup hotbeds here in London but particularly in the U.S. and Tel Aviv. We're trying to support the U.K. as much as we can. We're a founding partner of LOCRA, the London Office of Cybersecurity Rapid Advancement. That's not -- that's not easy to slip off the tongue, but I think it's really important that we work together and we support the government's cybersecurity strategy, so that's a key one for us in the U.K., and as you interact with these great startups, you know, over the years, we've found some really useful technologies through these engagements, but it is wider than just, you know, leading-edge technologies. It's important to build a culture and build innovation into business as usual, what you do every day, making sure that your labs are building innovative ideas into their backlogs and strategies and not being afraid to fail as well, you know, so it's very much a mindset. We have to think differently and ensure innovation is a core part of our business processes and not just something exciting done by few people on site.
Dave Bittner: You can hear the Afternoon Cyber Tea podcast hosted by Microsoft's Ann Johnson right here on the CyberWire Podcast Network. [ Music ] And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, and also my co-host on the "Caveat" podcast. Hey, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting article from the folks at MIT Technology Review. This is written by Tate Ryan-Mosley and this is about how easy it is to buy data about U.S. military personnel from some of the online data brokers, folks that we certainly talk about a lot over on the "Caveat" podcast. What do you make of this, Ben?
Ben Yelin: So this is actually a pretty disturbing story. It comes from a study by Duke University. They approached 12 data brokers in the U.S. and asked, basically, what would be necessary to buy information on service members? They were looking for things like their names, home addresses, geolocation, net worth, even things as personal as religion, their children, and health conditions, and it turns out that these companies are not only able to sell this very sensitive data, but they are doing so on the cheap. So the study quotes as little as 12 cents per record. Data brokers in the U.S. are selling sensitive private data. There are many disturbing elements to the story. One is that these companies, these data brokers have offered to sell the data with basically no vetting, and the Duke University researchers used email domains based in both the United States and in various Asian countries and that didn't make a difference as to whether the brokers were willing to sell the records. Really, this is a story about the utter lack of regulation we have around data brokers and this just might be a type of catalyst for our policymakers to get involved and to institute some type of protections. If you're a data broker, I mean, you know, besides morality, what do you care if this data is getting sold and what it's being used for?
Dave Bittner: Well, presumably, somewhere along the lines, there was a EULA, right, where these service members agreed to having their data shared.
Ben Yelin: Absolutely.
Dave Bittner: Yeah.
Ben Yelin: With whatever application they were using to share that data.
Dave Bittner: Right.
Ben Yelin: The EULA, I'm sure they read all 600 pages of it.
Dave Bittner: Of course, as we all do.
Ben Yelin: Yeah, exactly. You know, before I order my Dunkin Donuts coffee, I just make sure that I go through the terms and conditions.
Dave Bittner: That's right.
Ben Yelin: But yeah, and this has become kind of a Wild West unregulated field, and like I said, it's hard to blame the data brokers here because this is their industry. They're making money off of it.
Dave Bittner: Right. Not illegal.
Ben Yelin: It's not illegal, and yes, they -- this Duke University study has now found the most sensitive group of individuals whose data is being stolen. All of us admire our servicemen and women. They are our best and brightest, and to see their data, especially their personal data, being used in this way I think is very disturbing. So maybe this can help be a catalyst to institute a broad data privacy protection that requires the equivalent of some type of Fourth Amendment search, if it's the government, or extra privacy protections if it's simply private industry, to obtain this data from data brokers. I think that's really the ultimate goal here, is to take this out of the Wild West of regulation and to bring it under a regime that is more protective of the sensitive data.
Dave Bittner: Yeah. Indeed, they reached out, or "they" being MIT Technology Review reached out to Senator Elizabeth Warren, who, I think it's safe to say, is a usual suspect when it comes to these sort of data privacy things, right?
Ben Yelin: Absolutely, yup, right.
Dave Bittner: But she also serves on the U.S. Senate Armed Services Committee, and she said that data brokers are selling sensitive information about service members and their families for nickels without considering the serious national security risks. This report makes clear that we need real guardrails to protect the personal data of service members, veterans, and their families. To what degree do you agree that this could pose a national security risk?
Ben Yelin: You know, it's hard to say. I mean, I think there's always a risk that with this type of sensitive information, if it gets into the wrong hands, it could be used as a method to attack service members, especially if we're talking about geolocation data, so for things like attempts at terrorist attacks, I mean, this could be a weapon that's deployed. If you're thinking about terrorist organizations, this would be a cheap way for them to obtain data in ways that they previously just would not have been able to do.
Dave Bittner: Right.
Ben Yelin: So yeah, I certainly think there is a risk out there. It's not a reason for any of us to panic, but because this data is so personal and so sensitive and it's targeting service members, I think there absolutely is that risk that it affects our national security.
Dave Bittner: Yeah. Another thing that this report highlights is that some of the brokers asked the researchers to sign non-disclosure agreements. So in other words, you're going to buy this data from us, but you can't tell anybody.
Ben Yelin: Yeah, that's something that's very interesting and disturbing to me. I mean, I think that was an interesting part of the study, is that the Duke researchers weren't just passively observing how this industry works. They were actively purchasing the data and kind of showing us, bearing to the rest of us who aren't familiar with the world of data brokers how this all works, so the fact that they're trying to force them to agree to these NDAs I think is really illuminating. I think that it kind of reveals a consciousness, in some sense, on the part of these companies, that they are dealing with sensitive data and they are just trying to protect their own legal interests instead of actually wanting to solve the problem.
Dave Bittner: Right.
Ben Yelin: Which is to institute more privacy protections. So yeah, I definitely think that is a disturbing element to it. It's what one of the researchers called a "veil of secrecy" that data brokers are drawing around their practices.
Dave Bittner: Mm-hm, yeah. MIT also reached out to Senator Ron Wyden, another usual suspect.
Ben Yelin: Absolutely, yup.
Dave Bittner: He said -- he said, "Not to sound like a broken record, but our country desperately needs a comprehensive consumer privacy law here to limit the collection, retention, and sale of sensitive personal information from the start." I feel like Senator Wyden could have that tattooed across his forehead, right?
Ben Yelin: I think so, yeah. That could be the outgoing message on his Senate office phone voicemail.
Dave Bittner: Right.
Ben Yelin: Yeah. I -- I wonder if they're going to bring some of these representatives from some of these companies in for a good old-fashioned congressional grilling, maybe in front of the Armed Services Committee, and bring some service members who've had their data brokered, just like the study seems to indicate, and make a real show of it, you know.
Dave Bittner: Good old-fashioned naming and shaming.
Ben Yelin: Absolutely. It's very effective. I mean, how do you think we got those tobacco companies finally? Get them in front of there and shame them to their face.
Dave Bittner: Yeah, yeah. All right. Well, again, this is an article from MIT Technology Review written by Tate Ryan-Mosley. It's titled "It's Shockingly Easy to Buy Sensitive Data about U.S. Military Personnel." Ben Yelin, thanks for joining us.
Ben Yelin: Thank you. [ Music ]
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]