The NTLM bug that sees and steals.

Dave Buettner

You're listening to the CyberWire network powered by N2K. Now a word about our sponsor, the Johns Hopkins University Information Security Institute. The JHU ISI is home to world class interdisciplinary experts dedicated to developing technologies to protect the world's vast online systems and infrastructure and working closely with US Government research agencies and industry partners. The Institute offers dual degree and joint programs in computer science and health informatics and has been designated as a Center of Academic Excellence in Cyber Research. Learn more at ISI JHU. EDU researchers uncover a critical Windows 0 day an alleged Ukrainian cyberattack targets one of Russia's largest banks. Russian group BlueAlpha exploits Cloudflare services. Microsoft flags Chinese hacking group Storm0227 for targeting critical infrastructure and US government agencies. SonicWall patches high severity vulnerabilities in its secure access gateway. Atrium Health reports a data breach affecting over half a million individuals. Rockwell Automation discloses four critical vulnerabilities in its arena software. U.S. authorities arrest an alleged member of the Scattered Spider gang. Our guest is Hugh Thompson, RSAC Program Committee Chair, discussing the 2025 Innovation Sandbox and its new investment component and C3PO gets caught in the crypto mines it's Friday, 12-6-20. Welcome back to 24. I'm Dave Buettner and this is your CyberWire Intel Briefing. Thanks for joining us here today and happy Friday. It is great as always to have you with us. Researchers at Acros Security have identified a critical zero day vulnerability affecting all Windows versions from 7 through 11 and Windows Server 2008 R2 onwards. The flaw tied to the Windows NT LAN Manager authentication protocol enables attackers to steal credentials simply by having users view a malicious file in Windows Explorer. Actions as mundane as opening a shared folder, a USB disk, or even viewing the Downloads folder can trigger exploitation. Microsoft is developing a patch but has not yet released an official fix or CVE allocation. Meanwhile, Acros Security has issued a temporary micro patch through its opatch platform to protect users, including those running unsupported Windows versions. Users are advised to apply this micro patch immediately to mitigate risks until Microsoft issues a permanent solution with full technical details withheld to limit exploitation. This remains a significant and evolving security threat. Gazprom bank, one of Russia's largest private banks, faced reported service outages following an alleged Ukrainian cyberattack. Ukraine's military intelligence agency claimed responsible for a DDoS attack disrupting online and mobile banking services for Russian users. While Gazprom Bank's website is operational, users continue to report app issues. The bank denied linking the disruptions to the attack. This follows recent US Sanctions targeting Gazprom Bank, a key channel for Russia's oil and gas payments. Ukrainian cyberattacks on Russian financial institutions are frequent, but their actual impact remains unclear. The Russian FSB backed hacking group BlueAlpha is exploiting Cloudflare's secure tunneling service to enhance its phishing malware attacks, particularly targeting Ukraine. Researchers from Recorded Futures Insect Group revealed that Blue Alpha uses Cloudflare tunnels to hide staging servers and establish secure connections between victims devices and malware command and control servers. This method, part of its Gamma Drop infrastructure, complicates detection and blocking efforts. Blue Alpha, an offshoot of Kremlin controlled center 18, exemplifies the growing trend among threat actors leveraging legitimate services like Cloudflare tunnels for malicious campaigns. China based threat actors reportedly breached a major US Organization with operations in China persisting in its networks from April through August of this year, likely for intelligence gathering. Symantec researchers found compromised exchange servers, suggesting email and data exfiltration, although the attack's entry point remains unclear. Attackers used PowerShell to query active Directory and employed Kerber Roasting for credential access. They escalated activity in June using renamed Filezilla components for data transfer and deploying perspective persistence tools such as malicious DLLs and registry manipulation. Attackers leverage living off the land tactics with tools like PsExec, PowerShell and WMI typical of Chinese hacker strategies. The same organization was targeted by China's Daggerfly group in 2023, but attribution to specific actors remains inconclusive. Symantec highlighted the methodical role assignments across compromised machines to maintain persistence and gather intell intelligence. Microsoft has flagged Chinese government linked hacking group Storm 0227 for targeting critical infrastructure organizations and US government agencies. Active since January, the group shares similarities with Silk Typhoon, also known as hafnium and TAG 100. Over the past year, Storm 0227 has focused on sectors including defense, aviation, telecommunications, legal services and government agencies. The group typically gains access through vulnerabilities in public facing applications or spear phishing emails, delivering sparkrat, an open source remote administration tool. Notably, they use off the shelf malware rather than custom tools, blending into normal network activity to evade detection. Once inside, Storm 0227 steals credentials to access cloud applications like Microsoft 365 exfiltrating emails and sensitive files to gather contextual intelligence. Their operations align with China's broader espionage goals targeting US interests and critical sectors. Microsoft warns the group's persistence and focus on espionage make them a long term threat. Sonicwall has patched several high severity vulnerabilities in its SMA 100 SSL VPN Secure Access Gateway, including remote code execution flaws. The most critical are buffer overflow bugs in the Web Management Interface and Apache Web Server library, each with a CVSS score of 8.1. Other issues include a heap based overflow path traversal and authentication bypass. Users are urged to update their firmware promptly to prevent potential exploitation. A zero day vulnerability in the Mitel MyCollab suite allows attackers to read sensitive files. According to watchtower researcher Sonny McDonald. The flaw, exploitable only by authenticated users, was chained in a proof of concept. With an authenticated bypass patched in October, the zero day still awaiting a patch, could expose critical files. Mitel plans to release a fix soon. Atrium Health has reported a data breach affecting over 585,000 individuals to the U.S. department of Health and Human Services. The breach appears linked to tracking technologies used on its patient portals between 2015 and 2019, which may have transmitted user data to third party vendors like Google and Meta. Exposed information could include names, emails, phone numbers and treatment details. Though no financial or Social Security data was compromised, Atrium emphasized no misuse has been detected. This follows another incident in April involving compromised employee email accounts containing sensitive data. Rockwell Automation has disclosed four critical vulnerabilities in its arena software, potentially enabling attackers to execute remote code. The vulnerabilities include a use after free flaw, out of bounds write uninitialized variable and out of bounds read each rating high severity of 8.5. Exploiting these flaws requires a legitimate user to execute a malicious DOE file, potentially leading to arbitrary code execution or operational disruption. Users should upgrade to the latest version immediately. US authorities have arrested 19 year old Remington Ogletree, a member of the Scattered Spider cybercrime gang, for breaching a US Financial institution and two telecommunications firms. Ogletree allegedly used text and voice phishing to steal employee credentials, impersonating IT support to pressure victims into visiting phishing sites. One phishing campaign targeted 149 employees of the financial institution, luring them with fake HR updates and benefits modifications between October 2023 and May 2024. Ogletree allegedly exploited telecom systems to send over 8.6 million phishing techs, many aimed at stealing cryptocurrency. Evidence seized from Ogletree's iPhone included phishing messages, credential harvesting sites and screenshots of cryptocurrency wallets. The Scattered Spider Gang, known for targeting companies with weaker security, has also been linked to high profile attacks on MGM Resorts, Caesars and Reddit. This fluid English speaking group uses phishing, social engineering and SIM swapping to infiltrate corporate systems, complicating law enforcement's efforts to track them. Coming up after the break, my conversation with Hugh Thompson from RSAC. We're discussing the 2025 innovation sandbox contest and C3PO gets caught in the crypto mines. Stay with us. And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBefore for sponsoring our show. And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses? Targeting your executives at home? According to the latest Poneman research study, over 42% of CISOs have reported cyber attacks on their executives in their personal lives. And this becomes your problem because executives are easy targets at home for account takeover, credential theft and reputational harm. Close the at home security gap with Black Cloak's Digital Executive Protection Platform award winning 24, 7, 365 protection for executives and their families. Learn more at BlackCloakIO Hugh Thompson is Program Committee Chair for the RSA Conference. I recently caught up with him to discuss the 2025 Innovation Sandbox contest and its new investment component. So Hugh, today we are talking about some exciting changes that are going into effect for the 2025 Innovation Sandbox contest at RSA Conference this coming year. I have to say at the outset that the Innovation Sandbox has always been a favorite event for me and many of my Cyberwire colleagues. Here I think it really captures a lot of the energy of the conference itself. And you all have some really exciting news for this next coming show.

Hugh Thompson

Dave. So first, thanks so much for having me on. And we're super excited about Innovation Sandbox. I've always viewed it as a celebration of innovation in cyber and cyber is so dependent on innovation. Bad guys are changing all the time. We need to innovate. Innovation Sandbox, I think is the ultimate representation of that. This is our 20th year of doing Innovation Sandbox, which is just hard for me to fathom. And we do have some exciting additions this year. So one of the things that we've announced is for every one of the top 10 finalists in Innovation Sandbox, we are providing $5 million in very founder friendly financing for these folks. And I couldn't be more excited about it. I think it's just a huge opportunity for these entrepreneurs to be able to capitalize on all the interest that they get as part of being in Innovation Sandbox and the opportunities that come out of it.

Dave Buettner

Well, let's dig into some of the details here. I mean, that is a big number you hear people joke about. It's an honor to just be nominated, but in this case to make it into the top 10. There's quite potential here for a big financial boost.

Hugh Thompson

I think so. And for a long time now, it's fascinating to watch. Once those top 10 are announced, typically companies change their entire website, right? It's sort of the focal point of their site. The fact that they got in the top 10 and they deserve that. We've got an independent panel of judges that weed through a lot of applicants. And so getting into the top 10 is extremely difficult. But one of the things that we found is as soon as you become a part of that top 10 cohort, you're then inundated with opportunities. There's companies, chief security officers, folks that now want to know more about you, maybe do proof of concepts. And necessarily for many of these companies, it means how do they deploy more resources at their companies to go and seize these opportunities of these proof of concepts of these trials? And we think we have a way to give them a cash infusion immediately that doesn't set a valuation on. The company waits till their next professional financing to actually convert into an equity position. So it's better financing than they could get on the public market and they can use it right away to grow their business, to stimulate innovation and to grow their companies.

Dave Buettner

You all have emphasized that this funding comes from Crosspoint Capital Partners and this is A simple agreement for future equity. Which spells out the word safe.

Hugh Thompson

Safe.

Dave Buettner

That's right, I guess. Is this an obligation as well? I mean, in order to be accepted as. As being in the top 10, is it a requirement that you take this funding?

Hugh Thompson

It is. It is. It's a. It's a condition of the contest. And this safe note that you're talking about, I'll go into a little bit of details on it because I think it's important. It's something called an uncapped safe, which basically means that it doesn't set a value for the company. It waits till the company has effectively continued to grow, probably fueled by some of this $5 million investment, and then it converts into equity at the next professional round of financing. And so we think that this is a mechanism for entrepreneurs to really accelerate their roadmap, to bring to bear resources to grow their companies. And I can tell you there's never been a more important time for us to get not only innovative companies out there in the spotlight, but also help those companies grow. The bad guys are working over time, and we think that innovation that comes from these startups is going to be absolutely essential to cyber defense.

Dave Buettner

Well, in addition to the funding, you all have announced a new forum that you're calling the RSA Conference Founders Circle. Tell us about that.

Hugh Thompson

Yeah, I'm very excited about that. So this is a program that applies not just to the top 10 from 2025, but the top 10 going all the way back 20 years to the beginning of Innovation Sandbox. And many of those companies have continued to grow over time. Think about it as a network where these companies can connect with each other, share resources, learn from each other. We want to be able to foster collaboration among those companies that have gone through, really, the crucible of Innovation Sandbox made it into that top 10 cohort. Allow them to learn from each other, allow them to help each other. And we're hoping that this will be just a great network for those companies to be able to continue to grow in the space.

Dave Buettner

What's your advice for startups who have their sights set on the Innovation sandbox here? Any words of wisdom to improve their chances of being selected?

Hugh Thompson

Oh, my gosh. I've been doing this for a couple of decades now, and I'd say the best advice is to really perfect how you tell the story of your company. It's so important. If you look at these judges, who tend to be very prominent folks from the cyber community, they are in the back of their head asking a couple of key Questions like, why is this company different from the many other cyber companies that I've seen now? What is it that they're bringing that's new into the marketplace? Do they have the right people? Like, who are the folks that are behind this company? And do they have a real way to get it out into the marketplace? Telling your story succinctly in the three minutes that you have on that stage is so essential and also in the video that you submit as part of the application process. So if there's one piece of advice, it's just nail your own story.

Dave Buettner

Yeah, and I suppose, I mean, the proof is in the pudding here that these companies have had very high success rate.

Hugh Thompson

They have, they have. You know, some of them have gone on to be absolute staples in cybersecurity. You had some of the early winners, like Imperva, for example, that went on to do fantastic things. Wiz was a top 10 finalist back in 2021. Ironically, they just purchased a top 10 finalist from 2023. Dazzling. And you've got all of these great companies where a huge chapter in their story began at Innovation Sandbox. And I can't wait to see the next chapter that starts to begin from the cohort that comes up in 2025.

Dave Buettner

That's Hugh Thompson, RSAC program committee. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000. And finally, a gentleman named Charles O. Parks III, or as he styled himself, CP3O, kind of like the Droid, decided to take a creative approach to cloud computing. Instead of paying for it, he racked up $3.5 million in unpaid bills with two tech giants based in Washington believed to be Amazon and Microsoft. What did he do with all that computing power? He mined cryptocurrency, ether, litecoin, Monero, you name it, netting about $970,000 from January to August 2021. Parks set up aliases like Multimillionaire LLC, which is a little on the nose, to open multiple cloud accounts. He convinced providers to give him premium services with deferred billing and even managed to launch tens of thousands of mining instances. That's a lot of fake money making, literally and figuratively. He didn't stop at mining. Parks laundered his crypto through exchanges, an NFT marketplace and bank accounts, then spent his ill gotten gains on first class travel, a luxury Mercedes Benz and flashy jewelry. Basically, he was living like a high roller until the bill came due. The Justice Department was not impressed. They've charged Parks who pleaded guilty to fraud. He faces up to 20 years in prison. Prosecutors say this case highlights their commitment to cracking down on cybercriminals using complex schemes. So it would seem this self styled C3PO miscalculated the odds of dodging Microsoft's and Amazon's billing departments. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com Be sure to check out this weekend's Research Saturday and my conversation with Sean Kennedy, Global Director of Trustwave Spider Labs. The research we're discussing is titled Proncys a JPHP Driven Malware. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2. We're privileged that N2k cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karpf. Simone Petrella is our president, Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here. Next hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row. All of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place and they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBER10 to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from setup to success@legalzoom.com and use promo code CYBERTEN. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services llc.