The CyberWire Daily Podcast 12.14.23
Ep 1967 | 12.14.23

Taking down the storm.

Transcript

Dave Bittner: Microsoft takes down the Storm-1152 cybercrime operation. “GambleForce” is a newly discovered threat actor. The SVR exploits a JetBrains TeamCity vulnerability. US Postal Service impersonation. Malicious ads associated with Zoom. An update on the cyberattack against Kyivstar. Apache issues a Struts 2 security advisory. The FCC adopts new data breach rules. In our latest Threat Vector segment, David Mouton and Palo Alto Networks Madeline Sedgwick discuss the skills and methods necessary for understanding threat actor intent and behaviors. And the State Department's Global Engagement Center is under fire.

Dave Bittner: Today is December 14, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft takes down Storm-1152 cybercrime operation.

Dave Bittner: Microsoft has dismantled the infrastructure of "Storm-1152," a cybercrime operation that sold fraudulent Outlook accounts to other hackers, including the Scattered Spider gang. Storm-1152, a significant player in the cybercrime as a service (CaaS) ecosystem, created about 750 million fake Microsoft accounts through its service "hotmailbox.me," generating millions in illicit revenue and causing extensive damage to Microsoft. This group was labeled as the leading creator and seller of fraudulent Microsoft accounts.

Dave Bittner: Storm-1152's modus operandi involved using bots to deceive Microsoft's security systems, creating fake Outlook email accounts, and then selling them to cybercriminals. They also offered CAPTCHA solver services, aiding fraudsters in bypassing CAPTCHA systems and exploiting Microsoft and other online environments.

Dave Bittner: Microsoft's investigation revealed that groups like Scattered Spider, involved in major ransomware attacks and data breaches, including against Okta customers and MGM Resorts, utilized Storm-1152's services. These attacks caused disruptions and damages running into hundreds of millions of dollars.

Dave Bittner: On December 7, Microsoft obtained a court order to seize Storm-1152's U.S.-based infrastructure and domains, including hotmailbox.me and the associated CAPTCHA services. The company also identified the individuals behind this operation, all based in Vietnam.

Dave Bittner: Microsoft's Digital Crimes Unit, led by April Hogan-Burney, headed up the effort, assisted by Arkose Labs, who have been tracking Storm-1152 since August 2021. Arkose Labs' CEO, Kevin Gosschalk, noted Storm-1152's uniqueness in operating openly on the internet, offering training and customer support for its tools.

New threat actor discovered: “GambleForce.”

Dave Bittner: Security firm Group-IB announced this morning its discovery of "GambleForce," which it describes as a new threat actor working against targets in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand, and Brazil. The group's name derives from its initial attention to the gambling sector, but GambleForce quickly branched out to government, retail, and travel websites. Job-seeking sites also figured among the targets. Group 

Dave Bittner: Group-IB states,"In almost all known attacks, GambleForce abused public-facing applications of victims by exploiting SQL injections." Among the attack software the group used were publicly available open-source tools. GambleForce seems to have been indiscriminate in its theft of accessible data, but the researchers haven't been able to determine what the threat group is doing with that data. Group-IB says it's taken down GambleForce's command-and-control server and notified the victims it's been able to identify.

SVR exploits JetBrains TeamCity vulnerability.

Dave Bittner: The FBI, CISA, NSA, SKW, CERT Polska, and the UK's NCSC have jointly warned that Russia's SVR is exploiting a vulnerability in JetBrains TeamCity software. TeamCity is critical for software development processes like building and testing. The SVR's successful exploitation of this vulnerability could give them access to source code, signing certificates, and software deployment processes, posing a significant software supply chain threat. This operation mirrors the SVR's past tactics, including the notorious 2020 SolarWinds breach. While the current exploitation hasn't had as widespread an impact, the SVR has used it to escalate privileges, move laterally, deploy backdoors, and ensure long-term network access. Their targets are selected based on vulnerability exposure.

Dave Bittner: The advisory details the SVR's cyber attack techniques, indicators of compromise, and recommended mitigations. It also reviews the SVR's history of cyber operations since 2013, highlighting their focus on gathering foreign intelligence and targeting technology companies for future operations. Fortinet researchers provide insights into the SVR's methods, including the use of GraphicalProton malware for persistence, a tool previously linked to other SVR activities.

USPS impersonation.

Dave Bittner: Researchers at Uptycs are tracking a smishing campaign that’s impersonating the US Postal Service in order to steal victims’ personal and financial information. The text messages inform recipients that a USPS delivery requires their attention, and direct them to click on a link in order to resolve the issue. The link leads to a fake USPS website that asks the user to enter their name, address, and billing information.

Dave Bittner: The researchers have tied this campaign to over a thousand active phishing sites. Uptycs believes the scammers are based in China, and are targeting users around the world.

Malicious ads associated with Zoom.

Dave Bittner: Researchers at Malwarebytes are tracking an increase in malvertising themed around Zoom, noting that “these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.” One of the campaigns is delivering a new loader dubbed “HiroshimaNukes” that delivers information-stealing malware. The researchers add, “Threat actors have been alternating between different keywords for software downloads such as ‘Advanced IP Scanner’ or ‘WinSCP’ normally geared towards IT administrators.”

Update: the cyberattack against Kyivstar.

Dave Bittner: Ukraine's SBU has attributed a recent cyberattack on Kyivstar, Ukraine’s major mobile and internet service provider, to a Russian "pseudo-hacker group" working for the GRU, giving Russia plausible deniability. The group, Solntsepek, claimed on Telegram that they targeted Kyivstar for supporting Ukraine's military and government agencies. They exaggeratedly claimed to have "destroyed" thousands of computers, servers, and all cloud storage and backup systems of Kyivstar. Although the extent was overstated, the disruption was significant. Another group, KillNet, initially claimed responsibility, but analysts from Mandiant dismiss this as unlikely, viewing it as an opportunistic claim lacking credibility. The cyberattack began Tuesday morning, with Kyivstar gradually restoring services, starting with landline voice services, although full recovery is expected to take time. Solntsepek has been linked to the GRU's Sandworm activities.

Apache issues Struts 2 security advisory.

Dave Bittner: Apache has issued a security advisory for a critical flaw in the Struts 2 web application framework, which could lead to remote code execution. This vulnerability, discovered by Steven Seeley of Source Incite, stems from defective file upload logic, allowing unauthorized path traversal and the potential uploading of malicious files to execute arbitrary code. Struts, a Java framework for building web applications, has released patches for the affected versions. Developers are strongly urged to update as there are no alternative workarounds.

Dave Bittner: Although no real-world malicious exploits have been reported yet, a past security flaw in Struts was used in the 2017 Equifax breach. Recent updates indicate that threat actors are now attempting to exploit this vulnerability, with reports of active exploitation to install web shells and establish network footholds.

FCC adopts new data breach rules.

Dave Bittner: The Federal Communications Commission (FCC) has adopted new data breach rules, expanding the definition of a breach to include inadvertent access or disclosure of customer information. The updated rules also extend to all customers' personally identifiable information held by carriers and telecommunications relay services. FCC Chair Jessica Rosenworcel emphasized the need for these rules to ensure customer information safety and cybersecurity.

Dave Bittner: The decision, passed with a 3-2 vote, is likely to face opposition from Senate Republicans, particularly Sen. Ted Cruz, who previously criticized the proposed changes. The two Republican commissioners voted against the order, expressing concerns about potential conflicts with congressional limits on agency powers.

Dave Bittner: The new rules mandate carriers and providers to notify the FCC, FBI, and Secret Service within seven days of a breach affecting 500 or more customers. For breaches involving fewer than 500 customers and deemed non-harmful, carriers can report annually. This change aligns with the FCC's increased focus on privacy under Rosenworcel, including the formation of a Privacy and Data Protection Task Force.

Dave Bittner: The FCC's move is part of a broader trend of enhanced federal data breach reporting requirements, alongside recent updates by the Federal Trade Commission and new SEC breach notification rules set to take effect soon.

Dave Bittner: Coming up after the break, David Moulton from Palo Alto Networks speaks with Madeline Sedgwick. They discuss the skills and methods necessary for understanding threat actor intent and behaviors. Stay with us. 

Madeline Sedgwick: [Music] Top Guns, the reason why I joined the Navy. I didn't end up being a pilot obviously. There was not a lot of belief that I was going to do very well in the military mostly because I had done four years at a very art centric environment.

David Moulton: Welcome to "Threat Vector," a segment where Una 42 shares unique threat intelligence insights, new threat actor TTPs, and real world case studies. Una 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, director of thought leadership for Una 42. [ Music ] In today's episode, I'm going to speak with Madeline Sedgwick about the types of skills and methods needed to understand threat actor intent and behaviors as part of threat hunting and how that helps with threat deterrence. Madeline is a Senior Cyber Research Engineer and Threat Analyst for the Cortex Expanse Team at Palo Alto Networks. She's held roles in the Navy, the DOD, the Marine Corps, along with several private sector jobs. Madeline, where are you recording from today?

Madeline Sedgwick: Jacksonville, Florida.

David Moulton: I remember the last time I was in Jacksonville. It's beautiful.

Madeline Sedgwick: Oh, it is. Home of the Jacksonville Jaguars.

David Moulton: So before the show, we were talking a little bit about the different types of skills that you're looking for when you're building a team. And I thought that was really fascinating. Talk to me about what types of people you're looking for when you're putting together a team.

Madeline Sedgwick: Cybersecurity is not just about understanding how networks work and house computers process information. It's also about understanding behavior. Why an adversary does what an adversary does? And what are the motivations behind the adversaries activity? I can anticipate how the world's changing and how the geopolitical landscape is changing, then I can anticipate also potential threats on the horizon i need to be aware of. I think there's a misconception that the higher educated, the more certifications you have as a potential cybersecurity analyst, the better you're going to be at the job. I would take the person who has the understanding of systems, who can break down a system identify what makes this system work, what doesn't make a system work, and then also be able to pivot that understanding of the system to how human beings work.

David Moulton: So, Madeline, tell our listeners your thoughts on how analyzing a threat actor's behavior and intent help threat hunters avoid guesswork.

Madeline Sedgwick: So if you look at adversary behavior, you don't have to guess what infrastructure is vulnerable. I know that if I have a public facing device, it can be exploited by an adversary using an exploit. What does that exploit use? Is it a get request, an HTTP get request? Is it something that gets thrown at my network to make that device do something? All of these things can contribute to identifying the behavior behind an actor, that's not necessarily tied to specific vulnerabilities? Because that's how we kind of pigeonhole ourselves into thinking if I protect from the vulnerability, I'll protect my network, which is not the case.

David Moulton: What are some of the most helpful resources that you found to help understand threat actor behavior and intent.

Madeline Sedgwick: Sure. So I day in, day out employ a number of different capabilities. I come from an intelligence background and we don't like to rely on one data source. Twitter is a great one stop shop for people trying to get out information as quickly as possible. There's very talented cybersecurity analysts who get into the weeds and are subject matter experts where I'm not a subject matter expert on a particular actor, and certain tactics they those actors use. And then a combination of data sources, so packet capture data, and then open source information. We like to combine as many different perspectives as possible so that we can get true insight by identifying threat activity.

David Moulton: What's the one thing that you should remember from this conversation?

Madeline Sedgwick: Cyber adversaries are human beings. That's why they make mistakes. Being a computer hacker, being a threat actor doesn't give you superpowers. It doesn't give you, like, matrix level neo insight into the Internet. They're limited to the same, like, all like the laws of internet physics, right? [Music] I can anticipate why an adversary does what an adversary does and what are the motivations behind that adversaries activity, then I can anticipate potential threats on the horizon I need to be aware of. [ Music ]

David Moulton: Madeline, thanks for joining me today on Threat Vector. We'll be back on the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]

Dave Bittner: That's Palo Alto Networks, David Moulton and Madeline Sedgwick. [ Music ] And finally, the State Department's Global Engagement Center tasked with countering propaganda from terrorists and hostile nations is under fire, the New York Times reports. Accusations in court and Congress allege the GEC has helped social media platforms, like, Facebook, YouTube and X Twitter censor Americans breaching the First Amendment. Texas Attorney General, Ken Paxton and two conservative news outlets have sued, claiming GEC's actions are severe censorship. The GCC founded in 2011 with a $61 million budget and 125 staff members, counters foreign disinformation, especially from Russia and China. It's now facing existential threats including potential disbandment if its mandate expiring next year isn't renewed. James P. Rubin, the GEC's coordinator denies the censorship allegations, emphasizing their focus on foreign disinformation. The controversy is part of a broader debate on free speech and disinformation reaching the Supreme Court. The GEC's interactions with social media companies have been scrutinized, but there's been no evidence of coercion or influence. Despite this, the House Republicans have challenged the GEC's mandate renewal. The lawsuit from Texas claims the GEC indirectly sensors through grants to organizations identifying disinformation. The Federalist and the Daily Wire involved in the lawsuit were tagged as high risk for disinformation by a GEC funded project. The debate continues over whether fighting disinformation is a form of censorship with political effectiveness outweighing evidence. In the world of tech and politics, it looks like the Global Engagement Center may be playing a high stakes game of Whack a Mole. Only this time it's not just propaganda they're dodging, but lawsuits and legislative curveballs. [ Music ] And that's the CyberWire. For links to all of today's stories check out our daily briefing at the cyberwire.com. CyberWire listeners as we near the end of the year, it's the perfect time to reflect on your company's achievements, and set new goals to boost your brand across the industry. We'd love to help you achieve those goals. We've got some unique end of year opportunities complete with special incentives to launch 2024, so tell your marketing team to reach out. Send us a message at sales at the cyberwire.com, or visit our website so we can connect about building a program to meet your goals. We'd love to know what you think of this podcast you can email us at cyberwire@n2k.com. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin. Our mixer is Trey Hester, with original music by Elliot Peltzman. Our executive producers are Jennifer Eiben and Brandon Karp. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]