The growth of TheMoon malware and its contribution to the Faceless proxy network, shining a light on the vital role of cybersecurity in safeguarding critical infrastructure. Featuring insights from Lumen Technologies’ Black Lotus Labs and CISA’s new reporting mandates.
[00:02:53] The Moon Malware
[00:07:37] Critical Infrastructure Cybersecurity Updates
[00:17:08] Personal Cybersecurity Tips & Encouragement
Original URLs:
- https://blog.lumen.com/the-darkside-of-themoon/
- https://krebsonsecurity.com/2023/04/giving-a-face-to-the-malware-proxy-service-faceless/
- https://www.cybersecuritydive.com/news/cisa-notice-critical-infrastructure/711506/
- https://www.cisa.gov/news-events/news/cisa-marks-important-milestone-addressing-cyber-incidents-seeks-input-circia-notice-proposed
- https://thehackernews.com/2024/03/key-lesson-from-microsofts-password.html
Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/
Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/
Logo Design by https://www.zackgraber.com/
Tags: cybersecurity, TheMoon malware, Faceless network, Lumen Technologies, CISA, critical infrastructure, cyber incident reporting, Microsoft, Midnight Blizzard, NOBELIUM, password spray hack, IoT security, proxy services, cyber threats, router vulnerabilities
Search Phrases:
- Exploring TheMoon malware and its impact on cybersecurity
- Understanding Faceless proxy service and cyber anonymity
- Lumen Technologies’ fight against cyber threats
- CISA’s new cyber incident reporting rules for critical infrastructure
- Microsoft’s response to Midnight Blizzard cyber attacks
- NOBELIUM’s tactics in cyber espionage
- How to protect routers from cyber attacks
- The significance of cybersecurity in safeguarding critical infrastructure
- Cybersecurity best practices for IoT devices
- Strategies to counter password spray hacks
- Importance of secure accounts in preventing cyber attacks
- Analyzing the growth of proxy networks in cybercrime
- The role of critical infrastructure in national cybersecurity
- Updates and insights from CISA on cyber incident management
- Microsoft’s investigation into state-sponsored cyber threats
Transcript:
Transition (Short) Low Energy
[00:00:00] Welcome & Introduction
offsetkeyz: Welcome back to the Daily Decrypt. Fly me to the moon.
[00:00:08] The Rise of The Moon Malware
offsetkeyz: The Moon malware is now covertly amassing over 7, 000 SOHO routers and IoT devices each week into the faceless proxy network, as unveiled by Black Lotus Labs at Lumen Technologies, signaling a worrying escalation in cybercriminal capabilities. What steps can be taken to prevent devices from falling prey to the moon malware and contributing to the expansion of the faceless proxy network?
Critical infrastructure entities such as power and water are now mandated to swiftly report cyber incidents and ransom payments following new rules proposed by the cybersecurity and infrastructure security agency known as CISA. Marking a crucial advancement in bolstering the nation’s cybersecurity defenses.
And finally, we’ve got the expert dogespan back to discuss some lessons learned from the recent midnight Blizzard Microsoft breach. So stick around for that juicy goodness.
So recently we reported on Soho routers, which is small home. What is small,
dogespan: small,
office, home office.
offsetkeyz: small home office office, small. Is it small office, home office?
dogespan: Yeah. South of Houston street,
offsetkeyz: So yeah, recently there’s been some news on Soho routers being vulnerable to these malwares. pulling them into proxy networks. And so this isn’t necessarily breaking news, but there has been some recent research coming out that shows some pretty staggering numbers. So the latest findings by Lumen Technologies Black Lotus Labs spotlight a startling expansion of the faceless proxy network, with the moon malware enrolling over 7, 000 new users.
per week into its ranks. That’s a lot of routers.
dogespan: ISP routers right there?
offsetkeyz: I would hope not, but your ISP has no incentive whatsoever to replace that router and you’re paying a rental fee. So
dogespan: Yep.
offsetkeyz: There’s a little bit more information linked in the show notes below, but. An aggressive campaign in early March of 2024 saw over 6, 000 ASUS routers compromised in less than 72 hours. So at this rate, they’re well over 40, 000 last we checked in February, plus 7, 000 each week. The Moon malware continues to refine its infection methods, targeting devices with accessible shell environments before implementing a series of IP table modifications. This prepares the compromised device to serve as a proxy facilitating anonymous internet usage for malicious actors through the faceless service.
[00:02:53] The Moon Malware
offsetkeyz: First of all, we can talk about what a proxy network is. It’s essentially just. It’s essentially just tens of thousands of devices that cybercriminals are able to route their traffic through. So that’s bad news for you, whether you’re trying to avoid people snooping on you, or you’re trying to protect your privacy, or you’re trying to not be an accomplice in cybercrime. In the article linked in the show notes below, you’ll be able to see some indicators of compromise, but the biggest thing is that’s the gateway to the internet for you.
So everything going in and everything coming out of your house. is now accessible to these attackers. They’re probably not interested in that. They’re interested in just having the power to route their criminal activity through 40, 000 routers. But when you hand criminals a bunch of free data, they’re probably going to get around to using it.
So what can you do to prevent your router from being part of this proxy network? Make sure it’s up to date. And that’s kind of tricky for most users. You’re going to actually have to go into the router, which is a bit of a process. You also really want to make sure the username and passwords to your router are changed because they’re probably accessible via the internet. Like I could go Google your router model number and find out what the username and password is, enter it in, and B boom.
dogespan: There’s a number of them, just out on the internet, you can throw creds at them at any point in time.
offsetkeyz: Yeah. Once you start getting into cybersecurity, you’ll quickly come across the sites that just index all vulnerable routers, what, what’s the site that I’m thinking of? Do you remember? Doja Span.
dogespan: Shodan. Shodan.
offsetkeyz: If you just go on there, you can, first of all, you can check your IP and see what the deal is.
But yeah there, there’s a lot of ’em. So this proxy network is growing quickly. Probably thanks to Shodan, but mostly because there’s a lot of vulnerable routers out there, even if they’re not end of life People just don’t change their password. They don’t know. So tell your mom, tell your friends, tell your grandpa, change your router password it’s a big deal.
Honestly.
dogespan: Yeah, it’s interesting, we like, of course there is the proxy implication, so the attacker is like you said, most likely just using it to hide and cover their tracks, and one of the things that could come out of that, I think you did mention it, that you could be legally implicated. for certain types of activity.
And while you’re not the person doing it, if you are like the exit node or close enough in the chain for beginning or end, you might get picked up. So Definitely see if this is something that is affecting you, a lot of this malware, you can just reboot the router, like give it an unplug for 10 seconds, 30 seconds, and plug it back in, a lot of the malware will will die off, but then of course, make sure it’s updated.
One thing you can do is request that your ISP updates your router. So if you have been paying that monthly lease, if it’s been two years, call them and tell them that you want a new one.
offsetkeyz: Yeah, I’m sure it’s even built into your contract that you’re entitled to a new router after X amount of months, and it probably isn’t more than 18.
dogespan: Mm
hmm.
offsetkeyz: know they’re not updating it, they’re not forcing updates, and they know you’re not updating it. so they probably legally have to offer you a new one.
So all you have to do is call, and you might be on hold for a while, but just, yeah, get a new router if you’ve inherited an ISP router and you feel really proud of yourself because you’re not paying the 7 a month anymore, and you’ve had the same router for five years. this right here serves as your official notice to not do that.
Go get a new one.
So yeah, to wrap this up, the article linked in the show notes recommends a couple things. They recommend first of all blocking botnet traffic based on certain indicators of compromise. So if you’re a network defender, see that article for those IOCs. But consumers with SOHO routers should follow best practices of regularly rebooting routers, as dogespan said, and installing security updates and patches. And they provide a full link on how to do that.
offsetkeyz: by the Canadian Center for Cybersecurity. So thanks, Canadia. And, for organizations that manage SOHO routers, make sure the devices do not rely upon common default passwords. They should also ensure the management interfaces are properly secured and not accessible via the internet. And again, another article explaining exactly how to do that.
So, do those things, call your ISP, and you should be good to go.
transition: DOG. DOG. DOG. DOG.
[00:07:37] Critical Infrastructure Cybersecurity Updates
offsetkeyz: So one of the common themes, if you’ve been listening for a while, is critical infrastructure. The White House has been releasing guidance to critical infrastructure IT departments. There’s been a real emphasis on securing critical infrastructure. Turns out that’s because it’s constantly under attack and it’s our Achilles heel.
If attackers can get our critical infrastructure, they can probably shut down our internet, and then we have no way of protecting ourselves. They can shut down our power, we have no security cameras, you know, We have no food, can’t nourish our bodies, to go to cyber war. the most recent step in this effort is the Cybersecurity and Infrastructure Security Agency, known as CISA, introduced a proposed rule mandating that critical infrastructure entities report significant cyber incidents within 72 hours and ransom payments within 24 hours.
So this is pretty huge because we don’t really have the data. We don’t know how these critical infrastructures are getting attacked, if they’re paying, if they’re not paying. We’re all kind of guessing. So It’s gonna suck a little. Another checklist item while you’re under attack.
but it’s going to help overall critical infrastructure stay secure.
dogespan: Yeah, Critical Infrastructure definitely needs to be reporting that up as soon as possible. It’s such a big deal. And I do like that they’re imposing that on Critical Infrastructure. It’s a really good step in the right direction. 72 hours?
offsetkeyz: Yeah, that’s a little generous and yeah, there’s a lot of conflicting feelings about this, especially if. you’re under ransomware attack, attackers are telling you not to report it, attackers are saying they’re going to shred your data, they’re going to destroy it if you report it up, and when you’re under attack, you’re afraid, and you might have the money, and you might just pay them, and you might forget to report, and that might cause fines or whatever, so that’s just one of the cons to this, but we really need this data, It’s going to help keep critical infrastructure more secure.
It looks like this rule is expected to affect over 316, 000 entities with an estimated cost of 2. 6 billion.
There is some debate as to what qualifies as critical infrastructure, and I’m surprised that this guidance came out with gray area at all. It should be pretty exhaustive, but it According to the article linked in the show notes, which we always encourage you to read for yourself, don’t just listen to what we’re saying as truth go read it for yourself.
The U. S. recognizes 16 critical infrastructure sectors, but debates continue about the scope of entities required to comply. For example, UnitedHealthcare group. qualifies under the current definitions, but the status of change healthcare, which was recently breached, is kind of gray. It’s uncertain, which doesn’t make sense to me,
if there’s uncertainty, people aren’t going to report and then they’re going to claim they didn’t know. So let’s figure that out.
dogespan: Yeah, definitely like to see them move in the direction of just, when in doubt, report. Because if you’re getting CISA involved, they’re going to lend that expert help. If you’re not equipped to do the investigation, you’re better off just letting them know and cooperating with them. Even with ransomware and you going and paying it, you’re hoping that they live up to their word?
And that’s a criminal.
offsetkeyz: Yeah, exactly. It’s a lesson in all facets of life. from big enterprises down to personal as well. If you need help, ask for it. If you did something wrong, tell the people it impacts. Any smart person receiving this information is going to try to help as hard as they can, and they’re not going to hold it against you.
Simply telling the truth always wins, so do it,
dogespan: That’s exactly what I tell my kids.
offsetkeyz: and they need to hear it, and so do many others.
dogespan: Alright, so the last one. Midnight Blizzard, also known as Nobellium, a Russian state sponsored actor, got into Microsoft and they did so through the use of password sprays. So password spray being they just go down the line hitting as many passwords as they can on any account and hoping for the best.
Well, this was against Microsoft and it ended up being successful. Nobelium got access to a dev account and This account ended up having elevated privileges. Throughout the stages of this attack, they ended up going up higher and higher and higher through privilege escalation.
. This one was a privileged account, but it was in a development environment. They ended up getting access to an account and started sending off phishing emails across the board to their executives. Well, they ended up getting a couple of hits and there was no MFA.
on those higher up accounts. That’s probably the most shocking aspect of that. We know that. This was all previous information. So, what’s happening now? Microsoft has gotten them out and they have been doing all their recursive investigations. So the evidence of this is that they got access to, well, source code and internal systems.
Luckily, no customer facing systems were compromised. They did have access to source code, but nothing customer related, so we are still in the clear. However, go change your passwords. Now, being that they’ve had access to this stuff, they’ve been able to start probing at systems a little bit more in depth, and these Well, Microsoft has noticed since this that password sprays have increased by a tenfold.
offsetkeyz: What? Against Microsoft, or in general?
dogespan: Probably Microsoft systems since they have access to that kind of data, but they, it does say here that they are increasing their security investments. Good, good, good. cross enterprise coordination and enhanced defense capabilities against this persistent threat. So that sounds like they are working with customers to make sure that everybody’s safe and sound. Good on them. Overall, I think they’ve done a good job with this response.
In recent weeks, they have seen that Midnight Blizzard is using the information that they originally exfiltrated to attempt to gain more unauthorized access.
This comes from two different sources.
One was directly from Microsoft’s blog and then the other was a summary from the Hacker News. I’d like how the Hacker News, they’ve gone and broken little bits of it and kind of translated it more targeted at a smaller organization and not so much, you know, how Microsoft got hit by this stuff. And one of the things that they mentioned is the importance of protecting all accounts. this ended up being an attack against a privileged developer account or an developer environment. And a lot of times what happens in larger organizations is you kind of create accounts, you create stuff, and it serves its purpose, and you never delete it. So it’s super important to make sure that you’re either, have good security on it in the first place, or you delete it as soon as you’re done with it.
Now, how does that translate to the regular user? You mentioned this yesterday’s podcast. when you’re downloading an app for a single purpose, do you typically leave it on your system or do you delete it afterwards? One of the things that I try to think about is, ordering food. a lot of them, you cannot order food through a web browser, unless you’re actually like physically on a computer. it’s going to be so persistent to try to get you to go to that app. A lot of times it won’t even let you like McDonald’s is one of those good ones.
You are automatically rerouted to that app. Every single time I download that app, order my food, pick up my food, and then I delete that app. And it’s not so much. That it’s McDonald’s, but you just don’t know what else is involved in that. And McDonald’s is all about food, not data security.
offsetkeyz: No, I mean, they are a fortune five company, probably. so hopefully they have a good security system, but yeah, you’d be surprised at the permissions the McDonald’s app asks for. And Hawkrow Farmer and I were discussing this a week or two ago. when you’re hungry, there is a serious sense of urgency.
And attackers know. Under what circumstances there’s a sense of urgency. So if you’re on DoorDash and you’re having a hard time getting the food, you might pivot over to some other delivery service by Googling it, clicking on an ad, and then downloading the app from that ad. Because you’re really hungry and you’re just trying to get your food.
So now you’ve downloaded the wrong app, you create an account, username, same password you use on your bank, same email you use on your bank, they now have that, they go to your bank, they get you, whatever. Now you’re in a proxy network because you left that app. There’s so many bad things that happen, but, but the one thing about, that’s a good example, doges, is urgency.
And when you’re hungry, things feel very urgent.
dogespan: Very, very urgent. If an attacker has access to a password and it’s associated with an email, they’re going to try it anywhere and everywhere. And one of the key areas that they’re going to try it is your email provider, because that is clear evidence that you have an account there. So that’s the main takeaway with it from this, even on a large enterprise scale, is all accounts need to be protected.
[00:17:08] Personal Cybersecurity Tips & Encouragement
dogespan: If you can’t protect those accounts Use them for what you need to and remove it. Whether that’s just getting an app on your phone or creating an account just for the purpose of ordering some food. Delete it afterwards.
offsetkeyz: Yeah, we’d like to just harp on not reusing passwords. Um, if someone can get into your email, they can reset any password on any account that you have, because, I mean, what’s the first step? I think I talked about it in yesterday’s episode. When you click the reset password button, what does it do? It sends you an email to click on a link to go reset your password.
And that’s all it is. So if, if the attacker has access to your email address, they can reset any password, including your bank, including your Instagram. You know, the more I talk to people about password reuse and password managers and multifactor authentication, the more I met with fear and shame.
Shame is really the key one, and the shame doesn’t quite outweigh the fear. like it never is enough to get them going, but it is a negative feeling associated with passwords. And what I mean by that is people are just always ashamed that they haven’t done this, or they haven’t done that, whatever.
They reuse their password. They’re really ashamed. Well, this can serve as a good example for you that even executives at Microsoft haven’t enabled multi factor authentication. You’re doing okay. Just try to chip away at it. one piece at a time, try to enable multi factor authentication.
Don’t surrender to the shame.
dogespan: It doesn’t have to be something that you, you know, you decide Today when you wake up. That. I’m going to go enable MFA on all of my accounts. How I handle that is when I log in and I don’t get prompted to authenticate myself, I think, is there a way to get MFA? Put a little sticky note somewhere that says, go check your security settings on this website when you’re done with what you’re doing. So you don’t have to break focus, just real quick, security settings. Go back to it after you’ve checked your balance or whatever it is you went to. And then the next time you log into something else and you don’t get prompted for MFA,
offsetkeyz: it’s a slow process. and that’s okay. It’s okay to be a slow process. Really focus on the important things to start and the more you get going, the easier it gets. But right now, if you haven’t started, it seems like it’s going to be really painful, but think about it. What happens when you accomplish really painful, really hard tasks?
You get a flood of dopamine. Look forward to that dopamine hit when you actually enable MFA and change your password and download that pass password manager It sounds impossible right now. It will feel so good I still get that dopamine hit every time I make a little chip away at my security
dogespan: Leave a comment. Let us know that you did it and we will praise you.
offsetkeyz: We will we will I’ll make a freaking whole podcast episode about you Dude, I was talking to my parents this week. Shout out to my parents my dad Unprompted made his first passkey for Amazon.
dogespan: Oh,
offsetkeyz: Yeah. and my dad is an electrical engineer and he actually informed me that he has some patents in encryption algorithms.
And so I said, dad, I don’t know how passkeys work. I spent two hours banging my head against the desk trying to figure it out. So if you figure it out, I’m bringing you on the podcast. You get to explain it to my listeners. So, really excited. You guys get to meet my dad, but he was so excited when he enabled his passkey and you too can share that joy. So yeah, to bring it back to the Microsoft thing, and I don’t want to make this an ethics podcast per se, but it is always So it ignites fire within both me and DogeSpan, uh, just personal security and how easy it actually is, not to shame you by any means, but you can take certain easy steps to drastically improve your security.
But Microsoft here is doing exactly what we were preaching in the previous segment, which is reporting things. They’re doing a great job. They’re saying they messed up and, hey, we’re kind of on board. We’re like, wow, great. Thank you so much. It’s when. It’s when companies try to hide it, like LastPass, for example.
Um, I was a diehard LastPass user and hey, LastPass is better than nothing, even still, but it was really the fact that they hid their breach and tried to downplay their breach that ultimately got me to switch off of LastPass. I think their service now is great. It’s fine. I would trust it a lot. So if you have LastPass, great.
But it’s ultimately. the way that LastPass makes you feel. Like, no more warm fuzzies. More like cold sharpies. You know, it’s just stabbing me when I think about LastPass. So, good on Microsoft for just reporting and continuing to uncover new things, and we can all learn something from them. I
dogespan: close to a month now, about how consumers are actually taking that into consideration more and more. Where I was under the impression that it was just us tech nerds that were looking at it and going, ew, you got a, you got a breach and you didn’t handle it poorly, but more consumers are looking at that and
everybody is going to get hacked. If you haven’t been hacked yet, you just don’t know it. It has happened. Own up to it, it’s fine. Handle it well. Go the appropriate steps.
offsetkeyz: mean, this story is evidence of that more than anything, that Microsoft just got hacked. I mean, they, they made the, they made the first computer. They made the internet.
So yeah, no shame, especially nowadays when the weekly breaches are, it’s a very long list of breaches out there. I like this article from the Hacker News. Another great thing is it has a section titled defend against password spray attacks. and it has four actionable steps. I’m surprised multi factor authentication isn’t the first one.
Should be the first one. but if you’re in an organization and you have access to the Active Directory domain controller or admin rights there, you can run
password audits. Have any of the passwords for any account on your Active Directory shown up on the dark web? there’s search engines that just list passwords on the dark web. There’s search engines that list email addresses, which is probably more applicable for the day to day user, but you can just, yeah, search.
I think it’s even Have I Been Pwned. Like they have a password search feature and Have I Been Pwned has an API, so you can set up using an API and automate it. but that’s something I haven’t considered. is just audits. That could have saved it if they’re unwilling to enable multi factor authentication.
Multi factor authentication, we talk about it like it’s a, like a silver bullet, but it is susceptible to attacks too, especially MFA bombing or MFA fatigue. The weakest link in anything, in anything security is the human element. So even if you have enabled MFA, You can still do these password audits. You can only secure yourself more.
So yeah, that’s, those are just some of the action items you can take either as an individual or as a corporation.
And yeah, the point of bringing this up was just to kind of recap on this big attack and have a discussion. So, got anything else for us dogespan?
dogespan: No. Get a password manager.
offsetkeyz: And as always, get a password manager. I’m gonna, it’s like a drinking game around my house. How many times do I say password manager in a night? And I’m heading to a bar after this where you better believe I will be talking about password managers.
[00:24:57] Closing Thoughts & Thanks
offsetkeyz: But that’s all we got for you today. Thanks so much to Dogespan for coming back. We’ve missed you. Our editing software has missed you and we hope you’ll be more of a frequent guest. Oh, he’s back, baby. And I hope your work or organization place where you work lets you have Friday off like mine does.
Uh, so TBD, if we’ll have an episode tomorrow, probably because I’m an addict, but if we don’t have a great weekend, we’ll talk to you later.
Leave a Reply