The CyberWire Daily Briefing.

"EU fines Meta for transatlantic data transfers."

Views expressed in this cybersecurity, cybercrime update are those of the reporters and correspondents.  Accessed on 22 May 2023, 2006 UTC.  Content provided by email subscription to "The CyberWire Daily Briefing."

Source:  https://mail.google.com/mail/u/0/#inbox/FMfcgzGsmhcJnqBKhTXQDbSlvCJxvlSG ("The CyberWire Daily Briefing").

Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (https://www.hawaiicybesecurityjournal.net).

More signal, less noise.

Early bird registration is open. Get the lowest price we offer.

Register now for Mandiant’s mWISE security conference.

Daily Briefing

May 22, 2023.
ANNOUNCEMENT

CSO Perspectives is back.

CSO Perspectives has returned for a 13th season. Tune in to the season premiere to hear our CSO Rick Howard go through cybersecurity first principles as they apply to the infosec workforce gap. This show is a CyberWire Pro exclusive, so subscribe to Pro to catch new episodes every Monday. Subscribe and listen.

SUMMARY

At a glance.

  • EU fines Meta for transatlantic data transfers.
  • FIN7 returns, bearing Cl0p ransomware.
  • Python Package Index temporarily suspended new user and new project registration due to a spike in malicious activity.
  • Typosquatting and TurkoRAT.
  • UNC3944 uses SIM swapping to gain access to Azure admin accounts.
  • Shifts in Russia's cyber campaign: a Ukrainian perspective.
  • A Turla retrospective.
  • FBI found to have overstepped surveillance authorities.

EU fines Meta for transatlantic data transfers.

The EU has levied a €1.2 billion ($1.3 billion) fine against Facebook's corporate parent Meta, the AP reports. Ireland’s Data Protection Commission, which oversees US companies' activities in Europe on behalf of the EU, handed down the fine over what it judged to be data transfers to US-based systems that violated the EU's General Data Protection Regulation (GDPR). Meta calls the decision unjustified and says it will appeal. For now, Facebook services in Europe remain uninterrupted. The Wall Street Journal notes that the decision is likely to place pressure on Washington to arrive at some modus vivendi with the EU over data practices that would replace the defunct Safe Harbor agreement. Meta has until October to comply with the Data Protection Commission's directives

Sponsored by Expel

What are your biggest resource challenges? Expel makes every investment count.

ISOs have lots to think about. Teams and tech stacks. Budgets and booming attack surfaces. Security strategies evolving to address business goals. All of the above?

Expel’s software-driven approach to managed security puts your existing tech to work across cloud (and Kubernetes!), on-prem, network, SaaS, and SIEM, automating alert analysis, prioritization, and remediation so you get better answers to what matters the most. Fast.

Optimize your tech. Support your team. Stretch your budget. Expel.

FIN7 returns, bearing Cl0p ransomware.

The FIN7 cybercrime gang has been observed deploying Cl0p ransomware, the Hacker News reports. Microsoft observed the gang's activity in April of this year (their first activity since a hiatus that began in late 2021) tracking them under the moniker “Sangria Tempest.” The hackers were observed using a multitude of tools to gain hold of victim’s systems before the deployment of the Cl0p ransomware, the Record reports. The group had previously been seen deploying REvil and Maze malware, and later DarkSide and BlackMatter ransomware, Microsoft wrote on Thursday in one of a series of tweets. “In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizard post-exploitation tool and get a foothold into a target network. They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware.” Security Affairs writes that the gang had been seen in previous years targeting restaurants, gambling, and the hospitality sector generally in the US, among a broad range of other victims.

Sponsored by CyberArk

The future of security is identity and with CyberArk, the future of identity is secure.

With 84% of organizations experiencing an identity-related breach, identity is the new battlefield. As the pioneers of privileged access management, we started by protecting the most privileged users and most critical data. With intelligent privilege controls, today we’re applying the same levels of security and protection to every identity – both human and machine. CyberArk offers the most advanced identity security platform in the world, surrounding every identity with a powerful force field of continuous protection.

Python Package Index temporarily suspended new user and new project registration due to a spike in malicious activity. 

Python Package Index (PyPI) temporarily disabled new user sign-up and new uploading on its platform on Saturday due to a spike in malicious users and malware. PyPI writes, “New user and new project name registration on PyPI is temporarily suspended. The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave. While we re-group over the weekend, new user and new project registration is temporarily suspended.” These types of third party supply chain attack vectors are becoming more common among malware campaigns as they give threat actors access to more victims with less work.  By attacking a third party site and embedding malicious software in seemingly legitimate code, the actors are able to disseminate malware to would-be victims with less need to launch a full scale campaign. PyPI have not released any specific details regarding this spike in malicious activity, but Computing reported this morning that the organization had restored access to its platform.

Typosquatting and TurkoRAT. 

Researchers at ReversingLabs have released a report detailing a “typosquatting” scheme that involves a Trojan software that masquerades as legitimate npm software. Typosquatting, as CSO explains, “Involves copying a legitimate package, adding malicious code to it and publishing it with a different name that's a variation of the original in the hope that users will find it when searching for the real package.” The researchers explained, “The legitimate and malicious packages differ by only two letters, this is a clear example of typosquatting, making it highly possible that a developer may mistakenly download the malicious nodejs-cookie-proxy-agent in place of the legitimate node-cookie.” This package contained all of the functionality of the original software, but the bad actors included a 100MB file which contained TurkoRAT, an info stealer capable of credential harvesting and a built-in cryptowallet grabber. This campaign seems to have affected a very small portion of the customer base, as the malware was only downloaded 1,200 times, compared to the legitimate version's having been downloaded 20 million times.

UNC3944 uses SIM swapping to gain access to Azure admin accounts.

Threat actors gained access to a Microsoft Azure administrator account through an SMS phishing and SIM swapping campaign. Researchers at Mandiant have tracked UNC3944 in its SIM swapping campaign and infiltration of Azure. The researchers write, “UNC3944 is a financially motivated threat actor which Mandiant has been tracking since May of 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts…This threat group heavily relies on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they’ve gained access to employee databases.” SIM swapping, as explained by Mozilla’s dist;//ed, is a social engineering technique in which attackers pose as service providers requesting identity verification for sim card activation to gain pin numbers, the last four digits of a social security number, or other sensitive information for identity verification.

The criminals use the compromised accounts to gain initial access and begin building persistence and gathering information. The attackers use a reverse SSH tunnel and utilize commercial off-the-shelf tools to avoid security measures and maintain persistence. “Living off the Land attacks have become far more common as attackers have learned to make use of built-in tools to evade detection. The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer. Mandiant recommends that organizations restrict access to remote administration channels and disable SMS as a multifactor authentication method wherever possible”, the researchers conclude. 

Shifts in Russia's cyber campaign: a Ukrainian perspective.

The Record has a long interview with Yurii Shchyhol, the head of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), in which he reviewed the ways in which Russian cyber operations have shifted to support the present phase of Russia's war. Shchyhol says Moscow's cyber operators are paying more attention to the private sector than they had earlier in the war. He also notes a shift away from the destructive wiper malware that had been a characteristic feature of Russian cyber operations in the early weeks of the war. The focus is now on information collection: reconnaissance and cyberespionage, which is to say battlespace preparation.

A Turla retrospective.

The FSB's Turla group recently received a setback when the FBI and its international partners took down some of the threat group's infrastructure. The takedown prompted a retrospective in WIRED, which covers some of Turla's most notorious operations. The recent FBI-led takedown of infrastructure devoted to the distribution of Turla's Snake malware has been a blow to the FSB, but as WIRED points out, it would be unwise to count Turla out.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.

FBI found to have overstepped surveillance authorities.

Reuters reports that a ruling Friday by the US Foreign Intelligence Surveillance Court finds that the US Federal Bureau of Investigation (FBI) improperly used a US database of foreign intelligence. The Bureau accessed the database “278,000 times over several years, including on Americans suspected of crimes.” According to the Record, the FBI was found to have improperly searched the communications of those who participated in the January 6, 2021 riot at the US Capitol, as well as the 2020 protests against police brutality following the death of George Floyd. The violations include “improper searches of donors to a congressional campaign,” the AP writes, and predate “a series of corrective measures that started in the summer of 2021 and continued last year.”

The data were accessible via the Foreign Intelligence Surveillance Act (FISA). Congress is currently divided on how to move forward with reauthorization of Section 702 of the Act, which allows for “US intelligence agencies to conduct warrantless surveillance of non-US citizens abroad.” The law is set to expire at the end of the year unless Congress reauthorizes it.

[1403]

Notes.

Today's issue includes events affecting Australia, Bahrain, Belarus, Canada, China, the European Union, France, Germany, India, Israel, Japan, Morocco, Russia, Sudan, Ukraine, the United Arab Emirates, the United Kingdom, and the United States.

SPONSORED EVENTS

Cyber Security Summits in Dallas, Denver & Austin (Multiple locations, May 2 - 25, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception in Dallas on 5/2, Denver on 5/18 and Austin on 5/25. Learn how to protect your business from Cyber threats from The FBI, U.S. DHS / CISA, Darktrace & more. Earn up to 8 CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at CyberSecuritySummit.com.

Georgetown University Programs in Cybersecurity Webinar (Virtual, June 7, 2023) Advance your cybersecurity career with a Master's in Cybersecurity Risk Management from Georgetown University. You'll develop and execute integrated strategies, policies, and safeguards to manage risks across an enterprise. Attend our webinar on June 7 to learn more.

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / /Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open

SELECTED READING

Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+452: Russia claims victory in Bakhmut as the G7 finishes its meeting. (CyberWire) Ukraine has denied Russian claims of having secured Bakhmut. The G7 meetings conclude with more ...

Russia-Ukraine war at a glance: what we know on day 453 of the invasion (the Guardian) Russian-imposed Donetsk leader Denis Pushilin says demining is being carried out in Bakhmut; ...

Ukraine Races to Forge New Army Ahead of Offensive (Wall Street Journal) Kyiv is training military recruits—among them an actor, lawyer and security guard—to take part in ...

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

KeePass Exploit Allows Attackers to Recover Master Passwords from Memory (The Hacker News) A newly discovered security flaw (CVE-2023-32784) in KeyPass password manager software could expose ...

CISA warns of Samsung ASLR bypass flaw exploited in attacks (BleepingComputer) CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass ...

Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware (Security Affairs) Cybercriminal gang FIN7 returned with a new wave of attacks aimed at deploying the Clop ransomware ...

Find MORE on our website.

Security Patches, Mitigations, and Software Updates

HP rushes to fix bricked printers after faulty firmware update (BleepingComputer) HP is working to address a bad firmware update that has been bricking HP Office Jet printers ...

ASUS routers knocked offline worldwide by bad security update (BleepingComputer) ASUS has apologized to its customers for a server-side security maintenance error that has caused a ...

Trends

Business email compromise is on the rise, Microsoft warns (Axios) An often-overlooked cybercrime tactic is getting more sophisticated and growing in popularity among ...

Rise in cyberattacks worries capital market registrars (Punch Newspapers) Owoturo said that an increased threat of cyberattacks had given rise to renewed efforts by capital ...

67% Of Indian Firms To Outsource Key Security Functions As Cyber Attacks Spike (Zee News) About 72.5 per cent of the enterprises said they use threat intelligence products or services in ...

Marketplace

Option3 Aims to Strengthen National Cybersecurity with New Acquisition Plans (TechBullion) New York-based cybersecurity private equity firm Option3 is actively engaged in negotiations to ...

Accenture, Raytheon, Stellar Ventures Invest in Space Cybersecurity Company SpiderOak (GovCon Wire) Looking for the latest GovCon News? Check out our story: Accenture, Raytheon, Stellar Ventures ...

SentinelOne is leveraging A.I. to fend off cyberattacks (Fortune) A $100 million IPO in 2021 has allowed the company to play offense against cybercriminals.

Find MORE on our website.

Products, Services, and Solutions

Ping Identity Achieves DOD IL5 Authorization (PR Newswire) Ping Identity, the intelligent identity solution for the enterprise, announced its core identity and ...

Orion Governance Licenses Technology from GE to Deliver Next Generation Data Governance Solution (GlobeNewswire News Room) Orion will embed certain GE data governance solutions to help ensure enhanced security in today’s ...

Thales strengthens its leadership in Automotive Cybersecurity with a new certification (Thales Group) There is a clear growing demand for increased cybersecurity in the automotive industry. The United ...

Find MORE on our website.

Technologies, Techniques, and Standards

Ponemon Cybersecurity Training Study Finds Significant Shifts In Cybersecurity Training Over Past Two Years with 24% Higher Use of Simulated Environments (GlobeNewswire News Room) Study finds Realistic Simulation Training Provides an Average ROI of 40%...

OSINT Methods To Investigate Suspected AI Generated Content (ShadowDragon) The proliferation of content generated by artificial intelligence (AI) is just beginning. Recent ...

DarkBERT could help automate dark web mining for cyber threat intelligence (Help Net Security) Researchers have developed DarkBERT, a language model pretrained on dark web data, to help ...

Find MORE on our website.

Design and Innovation

The debate over whether AI will destroy us is dividing Silicon Valley (Washington Post) Prominent tech leaders are warning that artificial intelligence could take over. Other researchers ...

AI Is About to Make Social Media (Much) More Toxic (The Atlantic) We must prepare now.

The open-source AI boom is built on Big Tech’s handouts. How long will it last? (MIT Technology Review) Greater access to the code behind generative models is fueling innovation. But if top companies get ...

Find MORE on our website.

Research and Development

Crossing the Valley of Death: Estonia's Innovation-driven Defense Technologies Amid Cyber Threats (AFCEA International) Estonia's defense innovation thrives despite limited budget, repurposing business cybersecurity ...

Academia

CYBERCOM’s Academic Engagement Network hosts Cyber Recon Symposium, Recognizes Cyber Resea (U.S. Cyber Command) CYBERCOM’s Academic Engagement Network hosts Cyber Recon Symposium, Recognizes Cyber Research ...

ChatGPT caught NYC schools off guard. Now, we’re determined to embrace its potential. (Chalkbeat New York) After a cautious start, our approach to AI technology is evolving.

Legislation, Policy, and Regulation

Quad Leaders’ Joint Statement | The White House (The White House) 20 May 2023, Hiroshima Today, we — Prime Minister Anthony Albanese of Australia, Prime Minister ...

Quad Leaders’ Summit Fact Sheet | The White House (The White House) Hiroshima, 20 May 2023 President Joseph R. Biden, Jr., Prime Minister Anthony Albanese of Australia, ...

Regional cyber powers are banking on a wired future. Expanding the Abraham Accords to cybersecurity will help. (Atlantic Council) The Abraham Accord countries face threats from hostile actors, and defending their technology and ...

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

Meta Fined $1.3 Billion Over Data Transfers to U.S. (Wall Street Journal) The decision puts pressure on Washington to implement surveillance changes for Europe to allow Meta ...

Meta fined record $1.3 billion and ordered to stop sending European user data to US (AP NEWS) The European Union has slapped Meta with a record $1.3 billion privacy fine and ordered it to stop ...

Meta fined more than €1 billion for GDPR breach (Computing) Meta Platforms, the owner of Facebook, has been fined €1.2 billion over the transfer of EU users' ...

Find MORE on our website.

SPONSOR & SUPPORT

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
 
Twitter IconFacebook IconLinkedIn IconEmail Icon
 

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

Comments

Popular posts from this blog

Cyber War News Today.

BleepingComputer.com

The Cyberwire Daily Briefing