A new week, a new month, and a new Cybersecurity News post! This iteration contains a whopping eight (8) stories covering the last two to four weeks. Since cybersecurity is a diverse field of assorted specializations, we attempt to match that with various stories touching on all aspects of cybersecurity. This time we cover a few breaches, Elon Musk’s decision to alter Twitter’s multi-factor authentication policy, the TrickBot group being exposed and sanctioned, Russia wanting to legalize cybercrime formally, and more!
Since this post is relatively longer than previous iterations, we’ve included a table of contents so you can navigate directly to the story of your choice without scrolling. We will keep this change going forward and plan on continuously making improvements as necessary. On to the topics!
Table of contents
- TrickBot Group Exposed and Sanctioned
- Multi-Year GoDaddy Breach Results in Source Code Leak and Malware
- Cybrary Releases more than 500 Hours of Free Cybersecurity Training Videos to Address the Skills Shortage
- Post-Quantum Encryption Algorithm Cracked With the Help of AI
- Group Behind 0ktapus Campaign Attempted Sophisticated Attack on Coinbase
- Twitter Removes SMS Two-Factor Authentication For Non-Twitter Blue Subscribers
- Three Terabytes of U.S. Military USSOCOM Data Exposed on Azure Server
- Russia Seeks to Formally Legalize Cybercrime
1) TrickBot Group Exposed and Sanctioned
United States (US) and United Kingdom (UK) authorities have exposed and announced sanctions against seven members of the TrickBot cybercrime gang. You may also know the group under different aliases – Wizard Spider, FIN12, DEV-0193, DEV-0569, and UNC1878. Although, these aliases could be affiliates cooperating with prominent TrickBot members. The group also goes by the ransomware they have created or helped propagate – BlackByte, Black Basta, Conti, Diavol, Maze, Quantum, Royal, and Ryuk. Their bread and butter is the botnet they use to spam email campaigns – TrickBot – to deploy further malware, usually ransomware.
The sanctioned members are as follows:
- Vitaly Kovalev (“Bentley,” “Ben”)
- Maksim Mikhailov (“Baget”)
- Valentin Karyagin (“Globus”)
- Mikhail Iskritskiy (“Tropa”)
- Dmitry Pleshevskiy (“Iseldor”)
- Ivan Vakhromeyev (“Mushroom”)
- Valery Sedletski (“Strix”)
It isn’t just those seven members who we know are behind some of their ransomware development and money laundering. For example, a Latvian woman named Alla Witte helped program some of the group’s software, notably the Diavol ransomware. The group also uses money mules, such as Christina Svechinskayawho, a Russian student arrested by the FBI in 2010, who act as intermediates to launder the stolen money from extortions and other misdeeds. Christina was one of 37 money mules employed by TrickBot, and you can be sure there are many more.
TrickBot’s leaked chats and the unveiling of the group by the US and UK governments provide an exceptional case study on the underground ecosystem of cybercrime groups. Much of this information comes from those internal leaked chats. Cyjax gleaned this data and provided a comprehensive overview of TrickBot’s operations, which is the best place to go if you want more information on this topic. A short paragraph wouldn’t do it justice. You can find that reference, as well as many others, below.
2) Multi-Year GoDaddy Breach Results in Source Code Leak and Malware
GoDaddy is an American domain registrar and web hosting company based in Arizona. Apart from those two things, the company has evolved to offer a suite of tools to help anyone get a website up and running with additional offerings to market and attract customers. Unfortunately, according to GoDaddy’s most recent U.S. Securities and Exchange Commission (SEC) annual 10-K report, the company was a victim of three separate breaches involving the same threat actor over the last three years.
According to the report, the breach impacted over one million GoDaddy customers and began in March 2020 when 28,000 hosting accounts were compromised. The second breach occurred a year later when the hackers acquired an admin password from the company and gained access to GoDaddy’s WordPress admin dashboard. This resulted in a further compromise of 1.2 million customers through the Managed WordPress hosting environment. The third and final breach happened a few months ago, in December, when threat actors installed malware on internal systems. This malware ended up on customers’ websites, affecting not only GoDaddy but also customers.
Thankfully, GoDaddy states that this string of breaches didn’t affect normal operations, and the incident is no longer ongoing. Read the official 10-K report to understand the breadth of the breach and the services involved.
3) Cybrary Releases more than 500 Hours of Free Cybersecurity Training Videos to Address the Skills Shortage
This post is short and sweet. Cybrary, a well-known cybersecurity platform, announced they are making more than 500 hours of video content free to address the cybersecurity skills shortage. These videos are for all skill levels, beginner, practitioner, and advanced practitioner, in what they aptly call “Cybrary Free Access.” For beginners, they offer a new IT Foundations and Cybersecurity Foundations path. Practitioners can utilize certification prep courses. Advanced practitioners can unlock entire courses for free, such as Threat Actor Campaigns (TAC) and Common Vulnerabilities and Exploits (CVE) Series.
According to the World Economic Forum (WEF), the cybersecurity sector must fill around 3.4 million jobs to fill the workforce gap. A gap that increased by 26.2% in 2022 compared to 2021. According to a study by Fortinet, the two areas to address are training and diversity. Cybrary is doing its part for training, but diversity is arguably more important. That’s because there are many free cybersecurity resources already, but about 80% of all cybersecurity professionals are white, and only 14% are female. In other words, it’s easier to train technical skills as opposed to hiring an outstanding diverse team with varying skill sets and backgrounds. With millions of job openings, organizations want to retain talented folks and build a well-rounded team. However, that isn’t easy, with other organizations eager to snatch skilled cybersecurity professionals of all genders, races, and backgrounds.
4) Post-Quantum Encryption Algorithm Cracked With the Help of AI
The idea and implementation of quantum computing will fundamentally change the world, plain and simple. This is because quantum computers contain quantum bits (qubits) that hold exponentially more data than traditional computer bits, vastly increasing throughput. A conventional bit can be in one of two states – 0 (off) or 1 (on). Conversely, a qubit can be in more than one state – 0, 1, “or any proportion of 0 and 1 in superposition of both states, with a certain probability of being a 0 and a certain probability of being a 1.” Since throughput equals data over time, qubits can send an exponential increase in data directly proportional to the qubit’s state. Thus, quantum computing can solve many, if not all, of the world’s most computing-intensive tasks, superseding supercomputers.
So, what happens if someone attempts to leverage quantum computing for malicious purposes? Regarding cybersecurity, the primary concern is cryptography – specifically, encryption mechanisms. Most encryption mechanisms function on the premise that breaking or brute-forcing the algorithms is too labor-intensive, either deterring or preventing decryption. With quantum computing, these encryption algorithms are subject to instantly being broken by brute force. Although it wouldn’t require much “force.”
Due to this, NIST has been seeking an encryption mechanism that is “quantum proof.” Researchers recommended and approved an algorithm called CRYSTALS-Kyber that uses public-key encryption; the only candidate of the final four that used public-key encryption, the others used digital signatures. Quantum-proof algorithms sound great, right? Well, enter another emerging technology – artificial intelligence (AI). Both technologies are in their infancy, and it’ll be interesting to see the impacts of each, either synergistically or as a check and balance on each other. In mid-February, we got a teaser.
Researchers from the KTH Royal Institute of Technology in Stockholm, Sweden, published a paper on how they broke the NIST-recommended CRYSTALS-Kyber encryption using side-channel attacks and AI. A term the researchers called “Deep learning-based side-channel attacks.” A side-channel attack is an exploit based on information leakage from a system. This information usually isn’t enough to break the system, but with AI, researchers can train a model to deterministically find a vulnerability in the mechanism based on the data leaked. As the researchers suggest, their work could be a model in the future to perform an AI-based audit on encryption algorithms before attackers find them first.
5) Group Behind 0ktapus Campaign Attempted Sophisticated Attack on Coinbase
A group named 0ktapus recently performed several high-profile SMiShing campaigns targeting organizations using Okta. Okta provides Identity Access Management (IAM) services that allow users to authenticate and access secure resources. SMiShing combines the terms’ SMS’ and ‘phishing’ and is what you think it is – phishing via text messages. In the latter half of 2022, 0ktapus operators allegedly performed SMiShing attacks on Twilio, DoorDash, CloudFlare, and over a hundred others. In February, 0ktapus attempted to breach Coinbase using the same techniques. Fortunately, they did not fall victim to their social engineering attempts for the most part.
Coinbase used this opportunity to be transparent and share the information they learned from this attack to help other organizations using Okta. They released a case study on the event and revealed a lot of good tactics, techniques, and procedures (TTPs) that the attackers used. The TTPs include how they acquired initial access, potential command and control servers (C2s), tools used for remote access, and unexpected installations. A typical SMiShing attack from 0ktapus looks like this:
It’s a safe assumption to assume that these attacks will continue. So, employees at organizations who use Okta should be vigilant about the texts received. Most SMiShes can be snuffed out by taking a second and looking at the URL of the text and checking for any grammatical errors. Users of other IAM services should heed this warning as well. No one is assumed safe from SMiShing, and anyone is susceptible to being a victim of these attacks. Trust your gut. If it looks fishy, it probably is.
6) Twitter Removes SMS Two-Factor Authentication For Non-Twitter Blue Subscribers
Elon Musk is back at it again, ruffling the feathers of cybersecurity practitioners and anyone not subscribed to Twitter Blue. That’s because Twitter announced an update to two-factor authentication (2FA), placing SMS 2FA behind the paywall of Twitter Blue. Currently, in the United States, Twitter costs $8.00 per month for web users and $11.00 per month for iOS and Android users. The higher price for mobile users is to offset the fees going to Apple and Google, respectively, and these costs vary based on your country.
Based on his public tweets, Musk states that the change is because of money expenditures by offering SMS 2FA and its insecurity based on the various manners attackers bypass SMS 2FA. Both of which are true. Musk reveals those thoughts in his Tweets below:
Offering SMS 2FA as an organization is indeed a significant expenditure. Musk says Twitter spends $60 million annually on fake SMS 2FA messages. That doesn’t include the non-fake ones. So, Twitter may be paying up to 9-figure fees for these texts. Seeing as Musk’s main priority is lowering the costs of Twitter operations, the impetus for this change is likely financially related.
However, the other reason for this change is that SMS 2FA is not as secure as other 2FA options, and as was said, this is true. Even the National Institute of Standards and Technology (NIST) advises using any other 2FA option (NIST SP 800-63B – Section 4.2.1). What’s bizarre is that Musk will continue to offer this service to Twitter Blue subscribers, effectively providing a less secure option for a cost. If security were the primary concern, users wouldn’t be paying extra for less security. However, the other two options – authentication apps or hardware keys – will be mandatory after the 19th of March, 2023.
Surprisingly, from July 2021 to December 2021, only 2.6% of Twitter users used 2FA. It’s safe to assume this number will be lower once the policy change occurs. Meaning more users are less secure. Yes, SMS 2FA is less secure, but any 2FA is better than no 2FA. So, it completely disregards the defense-in-depth model employed by cybersecurity professionals. If you’re using SMS 2FA, we recommend, as well as NIST, to change to an authentication app at a minimum and a hardware key if you desire to do so.
7) Three Terabytes of U.S. Military USSOCOM Data Exposed on Azure Server
Another Azure server was misconfigured and exposed to the Internet. This time, the problem is that the exposed server belonged to the U.S. Military and revealed sensitive information about the U.S. Special Operations Command (USSOCOM). According to public reporting, a good-faith security researcher named Anurag Sen discovered the exposed server, and it’s not the first time he’s warned organizations of its exposed assets. According to data from Shodan, a well-known open-source intelligence (OSINT) tool used to search almost every Internet-connected device on the planet, the server exposed the data to anyone who could find it for two weeks.
To understand the severity of exposing USSOCOM data to the public for two weeks, you must understand what USSOCOM does. USSOCOM, as the name implies, is the US military special operation forces command hub coordinating with other special operations forces (SOF) globally. Their operations include counterinsurgency and counterterrorism, hostage rescue and recovery, special reconnaissance, unconventional warfare, and more. The database in question possibly exposed some of this data.
The Pentagon and Microsoft are investigating how this occurred. Still, a spokesperson from the Defense Department stated there was no evidence anyone accessed the three terabytes (TB) of exposed data, thankfully.
8) Russia Seeks to Formally Legalize Cybercrime
In a move that may surprise most, but not all (myself), the head of the State Duma Committee on Information Policy, Alexander Khinshstein, stated that Russia intends to formalize cybercrime into law as long as it’s in the interest of the Russian Federation. The Russian government and cybergroups based out of Russia, or swear allegiance to Russia, perform a lot of cyberattacks against countries not in the Commonwealth of Independent States (CIS). For those unfamiliar, the CIS is a Eurasian intergovernmental organization comprised of 9 independent countries, primarily from the former Union of Soviet Socialist Republics (USSR): Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan. Although upon the dissolution of the USSR in 1991, the CIS consisted of 12 countries – those mentioned prior, Georgia, Turkmenistan, and Ukraine. The latter three countries withdrew from the CIS for different reasons. You can get a high-level overview of the reasons here.
For all other countries not in the CIS, mainly NATO countries, Russian threat actors usually act with impunity. Russian officials typically look the other way, with some exceptions, and loopholes exist in the Criminal Code of the Russian Federation to bypass cybercrime laws. For that reason, about three-fourths of ransomware payouts lead back to Russian-based operators. You may wonder how these attackers avoid CIS countries when propagating malware, especially for self-propagating malware like worms. Well, malware authors implement geolocation techniques before the malware delivers its payload. Common methods include getting the victim’s IP address, grabbing language information from the system, and even checking the keyboard configuration.
This post initially stopped here, but after completing it, Russia made additional changes to cybercrime laws. On March 1st, Putin signed a decree amending Article 10 Dissemination of information or provision of information, to ban foreign messenger services, including Discord, Microsoft Teams, Skype, Snapchat, Telegram, Threema, Viber, WhatsApp, and WeChat. That decree is translated and shown in full below.
The list doesn’t include some big names, including Meta (Facebook and Instagram) and Zoom. That’s because last year, Russia found Meta guilty of “engaging in extremist activity” because it tolerated “Russophobia” on its platform. These decrees aren’t just for show, as influencers on these social media platforms were restricted from these platforms and could face jail time.
Several references are below regarding CIS countries, Russia’s link to cybercrime, Russian cyber laws, and the abovementioned decrees.