CyberWire Daily - A “flea” on the wall conducts cyberespionage. Cl0p update. Astrology finds its way into your computer systems. Fancy Bear sighted, again.
Episode Date: June 21, 2023The Flea APT sets its sights on diplomatic targets. An update on the Cl0p gang’s exploitation of a MOVEit vulnerability. Unpatched TP-Link Archer routers are meeting their match in the Condi botnet.... The Muddled Libra threat group compromises companies in a variety of industries. A look into passwordless authentication. Derek Manky of Fortinet describes the Global Threat Landscape. Rick Howard speaks with Rod Wallace from AWS about data lakes. And Fancy Bear noses its way into Ukrainian servers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/118 Selected reading. Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries (Symantec) Ke3chang (MITRE) Third MOVEit vulnerability raises alarms as US Agriculture Department says it may be impacted (The Record) PwC and EY impacted by MOVEit cyber attack (Cybersecurity Hub) Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack (SecurityWeek) MOVEit hack: Gang claims not to have BBC, BA and Boots data (BBC) US govt offers $10 million bounty for info on Clop ransomware (BleepingComputer) Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 (Fortinet) CVE-2023-1389 Detail (NIST) Download for Archer AX21 V3 (TP-Link) Threat Group Assessment: Muddled Libra (Unit 42) Axiad and ESG Survey: 82% of Respondents Indicate Passwordless Authentication is a Top Five Priority (PR Newswire) APT28 group used three Roundcube exploits (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during another espionage campaign (CERT-UA#6805) (CERT-UA) BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities (The Record) CVE-2020-35730 Detail (NIST) CVE-2023-23397 Detail (NIST) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Flea APT sets its sights on diplomatic targets,
an update on the Klopp gang's exploitation of a move-it vulnerability.
Unpatched TP-Link Archer routers are meeting their match in the Condi botnet.
The muddled Libra threat group compromises companies in a variety of industries.
A look into passwordless authentication.
Derek Manke of Fortinet describes the global threat landscape.
Rick Howard speaks with Rod Wallace from AWS about data lakes.
And Fancy Bear noses its way into Ukrainian servers.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, June 21st, 2023.
A Chinese cyber espionage campaign has hackers hoping to be a flea on the wall in foreign affairs ministries across the Americas.
The threat hunter team at Symantec released a new report detailing a recent cyber espionage campaign seen targeting various ministries of foreign affairs. This campaign is said to be conducted by the
China-backed advanced persistent threat group called The Flea, with other known aliases that
include APT15, Nylon Typhoon, and Backdoor Diplomacy, among others. It's deploying
Backdoor.Graphican, a third-generation backdoor derived from the previously used Catrician and BS2005.
The report says that the major difference between the functionalities of Graphican and Catrican
are Graphican's use of the Microsoft Graph API and OneDrive to obtain its command and control
infrastructure. Symantec also drew similarities between GraphiCAN and FancyBear's Graphite malware,
which also uses Microsoft Graph API and OneDrive as a command-and-control server.
Though their techniques may be similar, this doesn't necessarily mean they're collaborating.
The FLEA aims to gain persistent access to its target's networks.
The FLEA aims to gain persistent access to its target's networks.
The Record reports that there appear to be at least 63 organizations that were compromised by the CLOP ransomware gang via the MUVIT vulnerabilities.
Security Week says the group's victims include GenDigital, the U.S. Department of Energy, the Nova Scotia government, British Airways, the British Broadcasting Company,
Aer Lingus, and an array of others. Cybersecurity Hub reports that PwC and Ernst & Young were also compromised. Klopp claims that it doesn't have stolen data from the BBC, British Airways, and UK
drugstore chain Boots, although the BBC notes that it's entirely possible the group is lying.
The gang also told Bleeping Computer that it had deleted any data stolen from government entities.
Researchers at Fortinet's FortiGuard Labs discovered a campaign that uses a newly marketed
distributed denial-of-service botnet, Condi. The botnet uses an unauthenticated command injection vulnerability
in TP-Link Archer routers
to infect machines.
Condi includes several features
to ensure it is the only botnet
running on the infected machine.
It also disables the ability
to remotely shut down the router
because the malware cannot survive
a reboot or shutdown.
The developer also seems to have incorrectly implemented the feature
to kill previous versions of itself running on the infected router.
Condi is unusual in using a scanner to search for open ports on HTTP servers
to send what researchers say is a hard-coded exploitation request
to download and execute a remote shell script
that will infect vulnerable TP-Link routers.
Condi creates an HTTP server that will in turn masquerade as a legitimate Apache HTTP server,
responding with a server Apache header.
A bargain in the C2C market,
Condi is being offered on Telegram for the low, low price of just $5.
Criminals can buy the source code for $50.
Fortinet strongly recommends that users continue to update their machines to prevent threat actors from exploiting them.
This vulnerability was discovered in mid-March of this year and was patched two days after its discovery.
year and was patched two days after its discovery. Astrology may be making its way into your life,
though not in the way that the mystic reading their horoscopes would tell you.
Palo Alto Network's Unit 42 is tracking Muddled Libra, a threat group that uses the Octopus Commodity Phishing Kit to compromise entities in the software automation, business process
outsourcing, telecommunications, and technology industries. Unit 42 assesses that the group has
an affinity for targeting customers downstream of their victims using the data they've stolen,
and they say that if allowed, they will return repeatedly to the well to refresh their stolen
data set. This allows for a return to past victims
even following the company's initial response. Axiad this morning released the findings of a
passwordless authentication survey it commissioned. Conducted by Enterprise Research Group,
the survey covers an array of vectors related to authentication, challenges, user experiences,
array of vectors related to authentication, challenges, user experiences, user attitude toward authentication, and the wants and needs of organizations that implement authentication
measures. Professionals across the cybersecurity development and IT fields within North America
were surveyed. Phishing and social engineering attacks proved to continuously be a point of
concern as 92% of the survey's respondents reported fear over credential harvesting.
Almost 60% of respondents report with confidence that they believe compromised accounts or harvested credentials
have been the cause for a successfully implemented cyber attack within the last year.
Passwordless authentication seems to be a prioritized vector for these professionals.
As a majority, 82% of respondents placed a move to passwordless authentication within their top five priorities,
with 85% reporting a move to passwordless authentication planned within the next one to two years.
Respondents also report a belief that a move to passwordless authentication will aid IT and support teams within their organization, with 86% of those surveyed in agreement.
And finally, the GRU's APT28 group, Fancy Bear, used three Roundcube exploits against Ukrainian email servers in the course of a renewed and recently detected Russian cyber espionage campaign. The attack's success was enabled, CERT-UA says, by the victim's continued
use of an outdated version of the Roundcube open-source webmail software, a version that
remains susceptible to SQL injection attacks. CERT-UA credits the detection of the activity
to information received from a Western
company working within a program of regular information exchange and thanked them for their
aid in their disclosure. The company is unnamed, but it's clearly Recorded Future, given the link
CERT-UA provides to the research that tipped them off to the GRU campaign. Recorded Future says as much itself. An extensive
account published yesterday by the company's Insikt group says the campaign leveraged news
about Russia's war against Ukraine to encourage recipients to open emails, which immediately
compromised vulnerable Roundcube servers, and shared that they discovered an overlap in the
campaign with activity from
Blue Delta, who exploited the Outlook zero-day vulnerability last year. In any case, the
investigation and exposure of the activity is a good example of the international public-private
partnership that's proven useful to Ukraine in the cyber phases of its defensive war against
the Russian invaders.
Coming up after the break, Derek Manke of Fortinet describes the global threat landscape. Rick Howard speaks with Rod Wallace from AWS about data lakes. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Derek Menke is Chief Security Strategist and Global VP of Threat Intelligence at FortiGuard
Labs, part of security firm Fortinet. They recently released their semi-annual Global
Threat Landscape Report, and I checked in with Derek Manke for the details.
To me, the most prominent and what we highlighted in the report is the rise of wiper malware or
wiperware as it's known as well. So of course, these are attacks that have been quite limited
in the past, Dave. Usually we saw maybe one of these campaigns per year, always APT focused.
So nation state going after critical infrastructure. What we saw per year, always APT focused. So nation state going after critical
infrastructure. What we saw last year, and certainly in the second half of last year,
was an acceleration effect where we're seeing much more Wiper malware being developed. We are
seeing it being mass distributed, so not limited to APT. Yes, we saw some instances that started
as targeted attacks via APT groups,
but it's really become commoditized.
I mean, there's wiper malware we observed that's been available on GitHub, as an example.
So there's a lot more families, a lot of distributions.
We observed over 25 countries just with wipers alone.
And if we compared the third quarter to fourth quarter last year,
it was a 53% growth in activity just for wipers.
How is the wiper malware being implemented here?
Is it replacing ransomware?
Is that the threat to the organizations they're coming after?
So not replacing.
It's unfortunately supplemental and complementary.
It's a part of the playbook.
When we talk about cybercrime,
so what we're seeing really is the white-primed malware being used in the playbooks along with ransomware
campaigns. Because it is destructive in nature, they can show, you know, it's effectively
saber-rattling, showing that they mean business, that they can take down critical systems,
cause revenue loss, and demand a higher payment in ransom. So it's being used in the targeted ransom campaigns.
And again, these are going from seven-figure to eight-figure ransom demands.
And if we look at how they're implementing this, it's actually quite different, right?
Every single wiper that we've observed, all are developed differently.
Some are just looking at data.
Some are looking at entire disks and partitions. Some that we've seen in rare instances are actually going after firmware,
bricking devices as well. I know one of the things that you're covering here is intelligence that
CISOs have available to them. What are you seeing there? Yeah, this one is quite interesting as well.
This is a good news story, Dave. So we often talk about the bad news. The threat landscape can be
quite overwhelming. So this is a new feature in our report. And what we looked at was,
we simplified this, looked at the total attack surface, which is how many vulnerabilities are
out there in history since we started tracking vulnerabilities. And if you look at NIST and MITRE, you know, tracking about 200,000 plus, that's a lot, right? That's a big
attack surface. But really what matters to organizations is what is the observable attack
surface? So for each given organization, what vulnerabilities actually exist? And then what is
the observable attack vulnerabilities, right? And so this is
what we call the red zone, because it's a correlation of data sets where we looked at
how many, you know, holes essentially are there out there that we can observe. But out of those
holes, what are attackers actually going after and attacking? And again, if you, instead of
boiling the ocean, now you're going from 200,000 vulnerabilities to roughly in that observable attack surface.
It's much lower, about 15,000 of those we're actually seeing there as holes out there.
But in fact, only 1% of those we're seeing under active attack.
So that's a good news story is that, hey, we're not dealing with this.
Yes, it's a massive attack surface.
But in reality, these are the ones attackers are going after,
and it's actually quite a bit of a smaller subset,
something more manageable for CISOs.
What are you seeing in terms of innovation
on the malware providers here?
I know we're seeing a lot of things
like ransomware as a service,
but are they actively iterating?
What are we seeing there?
So ransom as a service and crime services,
that's one innovation piece. That's a business model, as we know. So there's a lot, a lot new
services that we're seeing being added to their portfolio on forums that they're offering.
You know, it started years ago with DDoS as a service, phishing as a service,
botnet infrastructure stuff. Now, as you mentioned, ransomware as a service,
this botnet infrastructure stuff.
Now, as you mentioned, ransomware as a service,
but we're seeing more tagged onto that as well,
like reconnaissance services as an example.
So the service portfolio is one innovation piece, but the malware creation, what we're seeing,
is a retrofitting aspect.
It's quite interesting.
Actually, a lot of the threats that we talked about years ago,
Emotet, I'm going to pick on that as an example.
Big threat prominent years ago has been multiple takedown attempts on it.
We saw it's still one of the biggest families out there we see.
And why?
Because they're learning from success and they're building on existing code and retrofitting, right?
Adding new elements to it to make it even more successful.
Well, based on the information you've gathered here, what are the take-homes?
What are the recommendations for organizations to better protect themselves?
Yeah, so there's good news here again.
The take-homes are just, if I talked about that red zone,
there is simple management that can be done to really mitigate the risk for penetration
and entry points that attackers are using to get
into these or to deploy things like wiper malware as an example. Also, because the attacks are going
to more of a targeted nature, organizations are better to be focusing on the left side of the
attack chain, right? So more education and awareness, preparation, doing security training,
penetration testing, breach and attack simulation,
looking at things like deception technology as well too,
because all these things can actually trap these attacks
before they hit production environments.
So that's one piece of it.
On the other side, of course, as we talked, malware continues to innovate.
So being able to observe zero-day malware attacks, such as the Wiper malware families that are being created and the new ransom variants as well.
ZTNA, we talked about zero-trust network access.
These are all valid code payloads, valid techniques to mitigate.
That's Derek Menke from FortiGuard Labs, part of Fortinet.
Continuing our series of interviews from the AWS Reinforce conference that took place recently in Anaheim, California,
my CyberWire colleague Rick Howard speaks with Rod Wallace from AWS.
Their conversation centers on data lakes.
Here's Rick Howard and Rod Wallace.
The CyberWire is an Amazon Web Services media partner,
and in June 2023, Jen Iben, the CyberWire's senior producer and I,
traveled to the magical world of Disneyland in Anaheim, California,
to attend their AWS Reinforce conference and talk to senior leaders about the latest developments in securing the Amazon cloud.
I got to sit down with Rod Wallace, the general manager of Amazon Security Lake.
Before Rod came to Amazon, he was a CISO building his own security data lake
and was pressuring all the cloud providers to make it easier to do so.
I started out by asking him to explain just exactly what he was trying to build.
Yeah, the things that, you know, as we moved from being really an enterprise focus
that did all of its own IT on-premise towards cloud,
one of the things we very quickly, and also as our applications went from being monolithic to microservices,
it gave developers that opportunity to, as you said, microservices,
they all log and build logging and troubleshooting around their individual service.
And then when you go on to something like cloud where you essentially can spin up and spin down instances and you have all these services, well, all of those services teams generate logs, which is a two-edged sword for security teams.
It's like, yes, we've got insight and visibility.
And it's like, oh, no.
I have insight and visibility.
Yeah, and then like, so what do you do with this?
I'm going to determine these things. It's like exhaust that comes off of these.
And if you just try and take that exhaust
and aim it at what was really meant at the time,
like some kind of these on-prem mentality
of like the analytics engines,
you would very
quickly run out of CPU or budget yeah hard drive space yeah right absolutely if you're doing it
on-prem and these sort of things so what we thought is is that we need a cloud first solution to
security as opposed to trying to bolt cloud into an on-prem security model so So my security team said, look, why don't we use cloud and the scalability of
cloud to make a repository for our security logs that will grow with us and we can flex it up and
down and change it over time. And that was the start. Was it just a basic data dump? Just instead
of trying to store locally, we would just get it up into, so we had all these, we could now store
everything relatively cheaply compared to what we used to do. Is that what the basic idea was?
That was a basic idea, but we initially built it just for our on-prem, sorry, our on-cloud
sort of things, because it's very easy to do that. And a lot of the AWS services we're using at the
time, you know, just it's really easy to use. However, however, it's really easy to get started doing these things.
But then as you get into it, you start discovering that you're, you know,
you're one person becomes two, becomes four.
And so, you know, we had an expanding team doing this.
But we didn't just do a data dump, to your point,
because you very quickly realize that what you end up with then is a dump.
Yeah.
And so we did things like with then is a dump.
And so we did things like try to build a schema.
And then what happens when you do that, of course,
is you have to go to all your app teams and say,
hey, please, you know.
Follow my schema that I need, yeah.
And guess how thrilled app teams are.
Yeah, yeah.
You're not, right?
So anyways, then we ended up spending our time chasing teams to try and keep them on the path.
But anyways, it was helpful.
It was less expensive than an alternative solution to that,
and we used it.
And what I kind of said to my team was,
if one of the cloud providers ever makes one of these,
like, let's go and use that,
because we were finding that we were spending more time
wrangling the data than analyzing the data,
and that's death for a security team.
So you were knocking on the door of Amazon
and the other cloud providers saying,
hey, I need this kind of thing.
And they said, hey, we're going to build one
and come work for us, basically?
It was a little more circuitous than that.
But one of the nice things about the cloud providers,
all of them, doesn't matter which,
really open to feedback and getting their CISO customers
involved in feedback.
And it just so happened I was on Steve Schmitz at the time
when he was the CISO here,
and we started having a conversation about
how are we dealing with data exhaust.
And a lot of the CISOs around me were nodding with this idea
that they were building a security lake.
And so at the time, unbeknownst to me,
I guess they took that away
and started using our working backwards process
to essentially synthesize from customer feedback,
what should we build?
And they interviewed me as a customer
along with many others.
But then anyways, as time went on
and I decided I wanted to go and do something else,
I was just chatting with my friends at AWS and they said, funny, you know, how would you like to go and do something else. I was just chatting with my friends at AWS,
and they said, funny, you know,
how would you like to come and do Lake a second time around?
You know, and I leapt at the opportunity, you know.
So what's different now?
I mean, you're into it for how many years now you've been doing it?
Yeah, at AWS?
Yeah.
A year and a half.
So what's, in its current form,
what have you added to it that you didn't think about
when you were trying to build it yourself?
Well, there are a few things. One is in terms of getting your logs out of AWS.
Now I'm inside the machine. So while we built Security Lake off of all the same services that
any of our customers can use, we have access to some of the ways that we can get the logs in a
way which doesn't disturb any of the other logging in place. So when I was building my own, we'd have to go to account owners and things like that,
so we can just hook it up.
So I would say the ability to take a lot of the friction out that I would have to have done as a DIY builder
and did have to get into.
But the other piece is that customers, and it's really interesting to see,
want AWS to be an advocate for them out into the industry,
the security industry specifically.
So customers said, it's cool having a data lake,
but if every darn source of logs or findings or whatever
is in a different format,
all you're doing is pushing a problem back to me.
And they said, we don't appreciate it.
So can you advocate?
And so AWS does have, with its ecosystem,
they have those conversations in the industry.
And that's why the industry got together
and decided to create the open source schema
that we're adopting in Security Lake
and they've been adopting as well.
And then customers have really thanked us for that.
I would not have been able to create and get traction with a schema or something like that on my own. And I know a
number of our customers at DIY try building their own schema and they run into what I ran.
That's Rick Howard speaking with Rod Wallace from Amazon Web Services. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. or links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people. We make
you smarter about your team while making your team smarter. Learn more at n2k.com. This episode
was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with
original music by Elliot Peltzman. The show was written by Rachel Gelfand. Our executive editor
is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.