Biden bans Kaspersky over security concerns. Accenture says reports of them being breached are greatly exaggerated. SneakyChef targets diplomats in Africa, the Middle East, Europe and Asia. A serious firmware flaw affects Intel CPUs. More headaches for car dealerships relying on CDK Global. CISA Alerts Over 100,000 Individuals of Potential Data Breach in Chemical Security Tool Hack. SquidLoader targets Chinese organizations through phishing. A new nonprofit aims to establish certification standards in maritime cybersecurity. A sneak peek of our latest podcast, Only Malware in the Building. Using the court system for customer support.
Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Guest Selena Larson, joined by Dave Bittner and Rick Howard, hosts the new podcast "Only Malware in the Building." This monthly collaboration between N2K CyberWire and Proofpoint delves into the most impactful and intriguing malware stories. Selena makes complex cybersecurity info fun and digestible, offering tech professionals clear, actionable insights.
Selected Reading
Biden bans US sales of Kaspersky software over Russia ties (Reuters)
Exclusive: Accenture says data leak claims false, only 3 affected (Cyber Daily)
Chinese-aligned hacking group targeted more than a dozen government agencies, researchers find (CyberScoop)
Intel-powered computers affected by serious firmware flaw (CVE-2024-0762) (Help Net Security)
CDK warns: threat actors are calling customers, posing as support (bleepingcomputer)
Personal and Chemical Facility Information Potentially Accessed in CISA Hack (SecurityWeek)
New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document (gbhackers)
New body IMCSO to elevate standards and streamline provisioning of cybersecurity services in Maritime (itsecurityguru)
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region (Industrial Cyber)
How small claims court became Meta's customer service hotline (engadget).
The curious case of the missing IcedID (Only Malware in the Building)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. Biden bans Kaspersky over security concerns. Accenture says reports of them being breached are greatly exaggerated. Sneaky Chef targets diplomats in Africa, the Middle East, Europe, and Asia. A serious firmware flaw affects Intel CPUs. More headaches for car dealerships relying on CDK Global. SISA alerts over 100,000 individuals of potential data breach in a chemical security tool hack. Squid Loader targets Chinese organizations through phishing. A new nonprofit aims to establish certification standards in maritime cybersecurity, a sneak peek of our latest podcast to only malware in the building, and using the court system for customer support. Since Friday, June 21, 2024, I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Friday and thank you for joining us. It is great as always to have you here with us. The Biden administration announced plans to ban the sale of Kaspersky Labs anti-virus software in the U.S. due to security concerns over Russia's influence on the company Reuters reports. Commerce Secretary Gina Ramondo emphasized that Russia could exploit Kaspersky to steal sensitive data or install malware, especially given the software's deep access to computer systems. Kaspersky's clientele includes critical infrastructure providers and local governments raising further alarm. Kaspersky claims the decision is politically motivated and intends to explore legal options. The Russian embassy did not comment and Kaspersky maintains it is privately managed without government ties. The new rule will take effect on September 29, blocking new sales, downloads and updates of Kaspersky software in the U.S. Additionally, three Kaspersky units will be added to a trade restriction list, complicating its international operations. This move aims to eliminate risks of Russian cyber attacks and continues the pressure on Moscow amid the ongoing conflict in Ukraine. Senator Mark Warner supports the ban, arguing it's unsafe to allow Russian software access to American systems. The new restrictions also prohibit the sale of white-labeled products containing Kaspersky software, sellers and resellers violating these rules will face penalties. However, software users will not be penalized but will be encouraged to switch to alternatives. In a follow-up to yesterday's report, Accenture has addressed the claims made by breach forums user 888 who alleged possession of data on just under 33,000 current and former employees. According to Accenture, their analysis of the published data set revealed only three employee names and email addresses, with no additional information linked to the company. Accenture reported no indications of system compromise, but stated that investigations are ongoing. This response comes amid concerns raised by 888, a known leaker responsible for multiple high-profile cyber attacks. A Chinese-speaking cyber espionage group Sneaky Chef has targeted the ministries of foreign affairs and embassies in at least nine countries across Africa, the Middle East, Europe and Asia, according to Cisco Talos researchers. Having non-public government documents as lures, the group aimed at Angola, Turkmenistan, Kazakhstan, India, Saudi Arabia, South Korea, Uzbekistan, the US and Latvia. Sneaky Chef employs the SugarGhost Remote Access Tool and a Neutrogen spice rat to conduct their operations. These findings indicate a rapidly evolving and aggressive hacking campaign targeting key geopolitical hotspots. There's currently no conclusive evidence linking the group to a specific government agency, although some activity aligns with Chinese state-sponsored groups. A firmware vulnerability in Phoenix Secure Core UEFI, affecting various intel processors, allows local privilege escalation and arbitrary code execution within the firmware. This flaw linked to an unsafe get-variable UEFI service call could lead to a stack buffer overflow. Discovered on Lenovo ThinkPad laptops, it affects multiple intel processor families. Phoenix and Lenovo have issued updates. While no exploitation in the wild is reported, users should check for firmware updates. Following up on this week's reports of car dealerships in the US being unable to serve their customers due to cyber attacks targeting SaaS platform provider CDK Global, the company has issued a new warning to customers about scammers posing as CDK agents to gain unauthorized system access. This caution comes after two cyber attacks on June 18th and 19th forced the company to shut down its customer support channels and take most of its systems offline. In response, CDK set up toll-free lines for status updates but warns customers to avoid communications with anyone claiming to be a CDK representative seeking system access. Customers should not perform DMS tasks and stay alert for phishing attempts. CDK has no estimated resolution timeframe yet but assures that digital retail application data is secure. This has notified participants of the Chemical Facility Anti-Terrorism Standards program about a data breach involving the Chemical Security Assessment Tool hacked in January 2024. Attackers exploited and Yvonte connects secure appliance zero-day vulnerability. The breach potentially affects over 100,000 individuals with compromised data possibly including personal information, security assessments and site security plans. Although no data exfiltration was confirmed, CISA advises impacted individuals to reset passwords. Facilities are requested to notify affected people or provide contact information to CISA. The breach, considered a major incident under FISMA, exposed sensitive information related to chemical security. Researchers have discovered a new malware loader, squid loader, targeting Chinese organizations through phishing emails. Disguised as a word document, it employs advanced evasion techniques to avoid detection such as obfuscation and using expired or self-signed certificates. Squid loader downloads a malicious payload often cobalt strike via HTTPS which achieves persistence on the victim's machine. The loader's sophisticated methods include encrypted code sections, dynamic API resolution and complex control flow obfuscation, making it challenging for security analysts to detect and analyze. The newly announced International Maritime Cybersecurity Standards Organization, IMCSO, a non-profit supported by industry, aims to solve several key issues in maritime cybersecurity. Currently, ship captains lack the time to assist cyberauditors and the variety of assessment methodologies creates unnecessary complexity, overheads and delays in providing risk and technical audit results to port authorities and insurers. This inconsistency leads to confusion and inefficiency in evaluating and managing cyber risks. IMCSO seeks to address these problems by standardizing cybersecurity assessments and certifications, ensuring that evaluations are conducted uniformly, safely and effectively. This will streamline the risk assessment process, making it easier for stakeholders to understand a vessel's cyber risk, and provide a reliable registry of certified cybersecurity suppliers and professionals. Ultimately, IMCSO aims to improve the overall resilience and compliance of the maritime sector to cyber threats. Speaking of the maritime sector, the U.S. Department of Homeland Security is enhancing maritime cybersecurity in the Indo-Pacific region by partnering with Indonesia under initiatives from the U.S. Department of State and the Department of Defense. This agreement, part of the comprehensive strategic partnership, aims to protect maritime critical infrastructure and improve the resilience of the International Maritime Transportation System. DHS and Indonesian authorities conducted a cybersecurity tabletop exercise and workshop to strengthen incident response capabilities. This collaboration emphasizes information-sharing, operational coordination and joint efforts to counter cyber threats, ensuring the safety and security of global maritime activities. Coming up after the break, a sneak peek of our latest podcast, Only Malware in the Building. Check around. And now, a word from our sponsor, know-before. It's all connected, and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. Know-before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. Know-before's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco, 35 vendor integrations and counting. Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then, coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more at know-before.com/securitycoach. That's know-before.com/securitycoach, and we thank know-before for sponsoring our show. [MUSIC] Enterprises today are using hundreds of SaaS apps. Are you reaping their productivity and innovation benefits, or are you lost in the sprawl? Enter savvy security. They help you surface every SaaS app, identity and risk, so you can shine a light on shadow IT and risky identities. Savvy monitors your entire SaaS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks. So go on. Get savvy about SaaS and harness the productivity benefits, fuel innovation while closing security gaps. Visit savvy.security to learn more. We are pleased as Punch to have premiered a new podcast titled Only Malware in the Building. The show features yours truly our own Rick Howard and Selena Larson from Proofpoint. Here's a preview of the show. Today, we're talking about the curious case of the missing Ice-Didey. Ice-Didey is a malware originally classified as a banking Trojan and first observed in 2017. It also acts as a loader for other malware including ransomware and was a favored payload used by multiple cyber criminal threat actors until the fall of 2023. Then it all but disappeared, and it's placed a new threat crawled, latchrodectus. Named after a spider, this new malware created by the same people as Ice-Didey is now poised to take over where Ice-Didey melted off. I'm a little bit grossed out about all this. First Ice-D, Ice-D-N-R-T that you mentioned at the top of the show, does that mean there's a spider in the cup also? Oh my god. No, but I highly recommend not googling this malware name, especially if you have a fear of spiders like I do. I'm sorry, I was just enjoying a delicious dip and Selena, I want to apologize that Rick and I were both late to this recording session. We were waiting for Rick's dial-up to connect. I just upgraded my modem, Dave, so I don't want to hear any crap about how slow I am on this particular episode. Sure. Okay, absolutely. Guys, guys, guys, we have to be cool. Think about our audience. Well, let's start out, I mean, talking about Ice-Didey. So what is Ice-Didey and how did it originally emerge into the cyber security landscape? Ice-Didey has been around. Like I mentioned, it was initially classified as a banking malware. It was first observed in 2017. It was really part of that banking Trojan family. There was this era of cybercrime where you had things like First-Knip, Ice-Didey, Dry-Dex, all came on scene that were classified as banking malware. They were going after banking credentials, real money, and then it started acting as a loader for other malware, including ransomware. It was used by multiple prominent initial access brokers, so essentially those threat actors that are trying to gain access to compromise a system and then deliver ransomware. Emotec, for example, was seen delivering Ice-Didey. Can I just pause and say that the reason I love cyber security is that all the cool names that we come up with to describe all this stuff? I mean, you were at a lot of maybe nine different malware names, right, that is on the tip of the tongue of everybody and that's the reason I'm here. Okay, Salina. You know what? I feel like it has gone slightly overboard, though. It's hard to keep them all in my head. There's just so many and the names are so chaotic. Yeah. I wish there was one organization that could take responsibility for being the defining name because every malware actor has half a dozen different names and very often it is my job to save them all and keep them straight, which is not easy. Well, even Ice-Didey was AKA Bakbot in the early days, so there's even malware has multiple names for the same type of malware. It's, yeah, you have to keep them straight. Sounds like a robot chicken. Yeah. What I love about it, though, is that we have malware names and we have hacker names. We have hacker group names and sometimes they're the same names, right? And then just like talking about getting confused, okay, I have no idea what we're talking about most of the time. Oh, Rick, Rick, you don't give yourself enough credit. You know, Salina, I think that it is safe to say that Rick is a security genius. Not particularly true, but safe. Hey, I am in the presence of greatness right now. Oh, stop. Go on. Go on. Please. Please tell me more. Tell me more. Yeah. Only if you'll share your dips, Dave. Okay. No. I'm sorry. It's not enough. Well, you obviously haven't read my contract. No, we know. We'll be no sharing of the dips. So all right. So we've talked about Ice-Didey. So what happened to Ice-Didey? How like do we understand the circumstances of how it just fell off the radar? That's a very good question. So it was pretty prominent. And back in early 2023, we actually saw a new variant of Ice-Didey called Ice-Didey-Lighty kind of removed some of the functionality of the initial type of malware. So we thought that continuing development going all in on this type of malware. And then in the fall, it really just sort of stopped appearing and campaigned at it. We were asking ourselves at proof point, you know, fellow researchers being like, hey, you know, what's going on? Because the actors that use Ice-Didey, these initial access brokers, they're still active. And it coincided the fall of Ice-Didey sort of coincided with in November 2023, this, you know, new malware that kind of came on the scene. And initially people thought it was another new variant of Ice-Didey. But great, this is, this is, this is interesting, but it turned out to be something completely different. It was Latch-Didey, but suspected to be developed by the same folks who created Ice-Didey. So this top dog of initial access malware that had been used for so long just sort of disappeared and in its place rose Latch-Didey, did Latch-Didey have some sort of significant upgrade to it that caused them to abandon the other one or, I mean, it seems weird that we just take something that was working and go to something different. Great question. Not really. And actually, if you asked my colleague, Pimch, who did all of the malware reversing on Latch-Didey, he thinks it's a little basic. He's not very impressed with this particular malware. He would like the threat actors to try it a little bit harder. Oh, don't say that. To make things more fun for him. Yeah, let's taunt them, Selena. That would be great for all of us. You're right, you're right, I know. So Latch-Didey, this is the version of me dying up to the internet with my modem. Is that what you're telling me? I don't know if it's quite that because it's still a payload that's used by initial access brokers, right? Like, we're still seeing it being used by threat actors, although not as much as Ice-Didey. Which is kind of interesting. Ice-Didey was really up there with Cubot, right? Like, you had these sort of, you know, frequent, highly regarded mowers, highly used mowers that typically led to ransomware. I mean, Ice-Didey, we saw throughout its life cycle leading to May, Sotanokevi Ogriger. The D for report just published a couple of posts recently about it going to Nokoyawa, Dragonlock, or ransomware. So, it was really kind of a key component in many, many ransomware attacks, so it was kind of interesting that, you know, it just sort of like fell off the landscape. And by Trudectus came back, we only see it with a couple of threat actors, but it's still like, you know, you're still trying to figure out, like, what comes next? Ice-Didey was what's so prominent, and then it just kind of disappeared, and now we're now we're all kind of seeing like, okay, what's going on? So, what's the main takeaway here, Sunita? I mean, is there common protections for La Tredectus, or does it mean something specific if you see that kind of thing in your environment? So, I would say that with La Tredectus in particular, I had to say the community has really come together to do a lot of really great research into this particular malware. Proofpoint actually published a blog in collaboration with Team Camry, looking at this particular malware and its infrastructure, and that was pretty interesting to see a lot of, you know, the overlap with historic Ice-Didey operations. But you know, when there is something like an initial access type of malware that is identified, that's always something that should be sort of like a high priority, you know, investigation. Like, as we've seen historically, certainly with Ice-Didey, things like Cuba, the access to ultimate ransomware delivery, the relationship is there, and I think the Deafer Report recently came out with an example of an Ice-D infection with the time to rent and were being 29 days. You know, it's the whole cycle, and the activity is there, there's going to be likely, especially for talking about initial access brokers, there's going to be, you know, the initial malware delivery, there's going to be data exaltration, there's going to be lateral movement, they're going to try and, you know, spread themselves as much as they can before actually leading to ultimate encryption. So yeah, I mean, I think the jury is still out on like, what does "latch-reductist" mean, but it's a great example of the continued experimentation of initial access brokers, the continued use of new tools, new resources, trying to adopt new techniques to see what works best, and they're always out there trying to compromise computers and make as much money as possible. Well Selena, thank you for sharing all of this information with us. We are excited to be part of only malware in the building. Rick and I, we do have to run. We are meeting up later today to play an exciting game of Pong together. So I believe I'm ahead, Deaf, I believe I'm ahead. Well, right, but before we do, we both need a nap, so thanks so much, and we will see you here next month. Thanks you guys, I'm very much looking forward to it. And thanks to you, all our listeners, for tuning in to Only Malware in the Building. Be sure to subscribe to Only Malware in the Building wherever you get your favorite podcasts. The IT world used to be simpler. You only had to secure and manage environments that you controlled. One came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges your selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech, all lowercase. That's Shopify.com/tech. And finally, Ray Palena took drastic measures last month, flying from New Jersey to California to confront Meta in San Mateo's small claims court. After eight months and $700 in travel expenses, he managed to reclaim his hacked Facebook account, something Meta's customer support utterly failed to assist with. Palena's story is part of a growing trend of frustrated meta-users turning to small claims court. In Gadget found out that out of five people who sued Meta in small claims, three successfully regained their accounts. Some even received financial compensation. Why the courtroom drama? Meta's customer support is virtually non-existent. Their help pages send users on a wild goose chase through automated tools and dead-end links. It's enough to drive anyone mad. Valerie Garza, a massage business owner, faced similar exasperation. After her business's Instagram was hacked, Meta's absence led her to court where she won $7,268.65 in damages. Meta didn't even show up to the hearing. Their legal team tried to overturn the verdict, but Garza stood her ground and prevailed. For those without a financial stake, like Palena, the frustration is still real. His hacked account was being used for scam listings, damaging his reputation. Small claims court became his last resort to get Meta's attention and secure his profile. Despite the hurdles, Small claims court offers a beacon of hope for those exhausted by Meta's non-existent support. Filing fees are low and the process doesn't require legal expertise, making it accessible for many. Users like Palena and Garza show that sometimes you have to take matters into your own hands get results from the tech giant. And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. Be sure to check out this weekend's research Saturday, and my conversation with Carrie Shafer Paige from Arctic Wolf, we're discovering their work Lost in the Fog, A New Ransomware Threat. With research Saturday, check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan, our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kiltby is our publisher, and I'm Dave Vittner. Thanks for listening. We'll see you back here next week. Strata is your solution for securing on-prem and cloud apps without the hassle of refactoring. Modernize legacy systems with MFA or passwordless authentication and ensure continuous identity availability across multi-cloud environments. Say goodbye to tech debt and hello to seamless integration. Strata helps you reduce stress and gain control over your identity architecture, enhancing security and efficiency. In industry leaders like 3M, Navy Federal and Kroger, who trust Strata for their identity needs, visit strata.io/cyberwire to share your biggest identity challenge and receive a complimentary pair of AirPods Pro. Don't miss out, transform your identity management today at strata.io/cyberwire. And our thanks to Strata for being a longtime friend and supporter of this podcast. (upbeat music) [BLANK_AUDIO]
