CyberWire Daily - A joint warning on BianLian ransomware. Fleeceware offers AI as bait for the gullible. Cyberespionage updates. And Ukraine formally joins NATO’s CCDCOE.
Episode Date: May 17, 2023Cyber agencies warn of BianLian ransomware. There’s a new gang using leaked Baduk-based ransomware. Chinese government-linked threat actors target TP-link routers with custom malware. ChatGPT-themed... fleeceware is showing up in online stores. Ukraine is now a member of NATO's Cyber Centre. Tim Starks from the Washington Post shares insights on section 702 renewal. Our guest is Ismael Valenzuela from BlackBerry sharing the findings from their Global Threat Intelligence Report. And the CIA's offer to Russian officials may have had some takers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/95 Selected reading. #StopRansomware: BianLian Ransomware Group (Cybersecurity and Infrastructure Security Agency CISA) Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code (Cisco Talos Blog) The Dragon Who Sold His Camaro: Analyzing Custom Router Implant (Check Point Research) Fake ChatGPT Apps Scam Users Out of Thousands of Dollars, Sophos Reports (GlobeNewswire News Room) Ukraine joins NATO Cyber Centre (Computing) Russian Officials Unnerved by Ukraine Bloodshed Are Contacting CIA, Agency Says (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber agencies warn of BNLian ransomware.
There's a new gang using leaked BADUC-based ransomware.
Chinese government-linked threat actors target TP-Link routers with custom malware.
ChatGPT-themed fleeceware is showing up in online stores.
Ukraine is now a member of NATO's cyber center.
Tim Starks from The Washington Post shares insights on Section 702 renewal.
Our guest is Ismael Valenzuela from BlackBerry, sharing findings from their Global Threat Intelligence report.
And the CIA's offer to Russian officials may have had some takers.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, May 17, 2023. We begin today's news with an alert about a currently active ransomware operation.
The Australian Cyber Security Centre, the US FBI and CISA have issued a joint warning about
B&Lean ransomware. The criminal group behind it has been especially active
against targets in Australia,
but it represents a general threat.
The advisory says,
The group gains access to victim systems
through valid remote desktop protocol credentials.
It uses open-source tools and command-line scripting
for discovery and credential harvesting
and exfiltrates victim data via file transfer
protocol, R-Clone, or MEGA. BN-Lien had formerly used a double extortion approach, but has recently
shifted toward a model that relies solely on threats to release the victim's data, as opposed
to encrypt or destroy it. BN-Lien group engages in additional techniques to pressure the victim
into paying the ransom, for example, printing the ransom note to printers on the compromised network.
Employees of victim companies also reported receiving threatening phone calls from individuals associated with the group.
at Cisco Talos published a report Tuesday detailing a new criminal group which is using custom ransomware based on leaked BADUC code in double extortion attacks against U.S. and South
Korean business sectors. Talos explained that this is just the most recent group to use BADUC-based
ransomware. A member of BADUC reportedly leaked the group's source code on the dark web in September of 2021. The adversaries
go by the name RA Group and target insurance, pharmaceutical, wealth management, and manufacturing
companies in the U.S. and South Korea, encrypting their data and threatening to sell it to the
highest bidder on the dark web unless the company pays a ransom. Unlike some other approaches to
extortion, this method puts a time restriction
on the victim, which increases the pressure to pay. A Chinese state-sponsored threat actor
researchers are calling Camaro Dragon is using a custom backdoor named Horse Shell to infect
TP-Link routers. In a report released May 16th, Checkpoint Research found that this advanced persistent
threat is using tailored access tools to infect TP-Link routers specifically targeting European
foreign affairs entities. Checkpoint states, the discovery is yet another example of a long-standing
trend of Chinese threat actors to exploit internet-facing network devices and modify their underlying software or firmware.
The APT's horse-shell backdoor is a custom implant that allows the organization to maintain persistence on the infected machine.
Checkpoint writes,
The implant provides the attacker with three main functionalities, remote shell, file transfer, and tunneling.
The implant is not specific to TP-Link routers.
It can be configured to affect other firmware as well.
The attack vector used to gain infiltration and infection is so far undetermined.
There are significant code overlaps between Camaro Dragon's tools
and those used by Mustang Panda,
enough to suggest that the two APTs with pony car-inspired names are related,
but Checkpoint stops short of identifying them.
More research remains to be done,
and in the meantime, they're tracking the groups separately.
Interest in AI is prompting scammers to turn to AI-themed fleeceware,
which they're posting in both the Apple and Google stores.
Fleeceware, which enrolls the victim in a free trial that subsequently converts quietly into
an unwanted continuing subscription, tends to fly under the online store's security radar,
as it occupies a gray area between direct fraud and an offer that's nothing more than a bad deal.
They typically don't, for example, collect personal data,
nor do they make an overt attempt to subvert the platform's security measures.
Sophos researchers detail the ways in which the scam is playing out.
They follow five distinct fleeceware operations,
all of which promise ChatGPT live AI functionality.
One of them even trades on ChatGPT's name, calling itself ChatGBT,
hoping thereby to gull careless readers eager to get in on the AI. One of the marks of Fleeceware
is that it charges for products or services that are legitimately offered for free.
The current scams are no different. OpenAI offers basic chat GPT functionality for free on its website.
Ukraine is not a NATO member, but it's now a contributing participant, along with Ireland, Iceland, and Japan,
in NATO's Cooperative Cyber Defense Center of Excellence, CCD-COE.
Computing reports that progress toward that status began shortly after Russia's invasion
last year. It's now a formal reality. The CCD COE is headquartered in Tallinn, Estonia,
and Ukraine's ambassador to Estonia, Mariana Betsa, said the accession was an important event
that serves an important step on Ukraine's path to NATO. She added,
In the light of Russia's continuous military aggression and hybrid war,
Ukraine joining CCDCOE further strengthens our state's cyber capability. I want to thank the
CCDCOE sponsor states for inviting Ukraine to join. I also extend my special gratitude to the
Republic of Estonia as the hosting state for their support and assistance on our path to NATO CCDCOE.
And finally, the CIA recently published a video invitation offering disaffected Russians, especially officials, a secure way of contacting them, and it may be attracting some takers.
a secure way of contacting them, and it may be attracting some takers.
The Wall Street Journal reports that an official has told them it is resulting in contact.
The official declined to say how many Russians had made contact or what information they were offering,
but the tone of the remarks is broadly optimistic.
The message that went out through a range of social media channels was a digital expression of the goals the CIA's deputy director of operations, David Marlowe, said back in November.
He said, we're looking around the world for Russians who are as disgusted with that as we are, because we're open for business. Coming up after the break, Tim Starks from The Washington Post shares insights on Section 702 renewal.
Our guest is Ismael Valenzuela from BlackBerry, sharing the findings from their Global Threat Intelligence report.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Ismael Valenzuela is VP of Threat Research and Intelligence at BlackBerry.
I spoke with him about the findings from their most recent Global Threat Intelligence report. Some of the things that we saw is an increasing trend in use of info stealers.
is an increasing trend in use of info stealers.
This is, as everything around malware,
also related to the microeconomic situation.
A lot of people after the pandemic or during the pandemic working from home,
still we have a lot of remote work, hybrid work.
So attackers are taking advantage
of these new remote access capabilities
to use these info stealers to steal corporate credentials,
sell them on the black market.
And this has been leveraged both by cybercrime
and also nation states, the so-called APTs.
And in this report, we talk about the most prevalent one,
which is called Redline,
that steals a lot of credentials out of systems, browsers, FTPs details, VPN details, and much
more. Something else that we also saw that we haven't seen for some time is that attackers are
trying to maximize their investment by targeting different platforms.
Not just a desktop, but if I can,
from the mindset of the attacker,
the business mindset,
if with the same effort I can create a piece of malware
that works on a desktop, on a server,
on a mobile platform, on Windows, on macOS or Linux,
that's a much better investment
or use of my time.
So that's what we're seeing.
And we're seeing that there are more instances of malware written in languages like Rust
or Golang that can be used across platforms.
Based on the information that you all have gathered here, what are your recommendations?
How should organizations best go about protecting themselves?
Well, we always go to the default answers with this, right?
We say, oh, we need to ensure that we keep everything patched.
And we often call these best practices.
And I don't know what to think about it,
but it sounds boring, right?
Best practices, sounds like boring.
It's important, right?
We need to do that, but that's not enough.
I think that's like the bare minimum.
Because attackers know that a lot of people are,
you know, they do implement these best practices.
But for example, patching,
this is something we have to have.
But if there's a supply chain attack,
patching is not going to be the best defense against that.
It's not going to prevent that from happening.
So I think that at the same time,
there will be organizations out there saying,
well, will I be a victim of a supply chain attack?
So it all comes down to building a proper threat model.
And that starts with, that's a strategy really.
Before going and implementing defenses,
we need to think about who has something,
who has an interest out there, right, in my organization.
What do we have that could be interesting
for anybody out there?
And it could be cyber criminals.
And we know that nobody is outside of the scope of those.
Or it could be a nation state, something a little bit more targeted.
And we see this constantly, especially in this world where the geopolitics are so complex
right now.
We see a lot of those motivated attacks.
We see a lot of those motivated attacks.
But in general, having a zero-trust mindset philosophy to approach any defensive strategy
where physical attacks are part of that,
and a proper threat model according to your industry,
to your profile, to your geolocation,
where you conduct business. That's important.
Can you make the case here for organizations engaging with someone who provides threat
intelligence, an organization like yourselves, and certainly there are other providers out there,
for folks who aren't doing that, how do you describe the value proposition there?
I'm glad you asked this because when I talk about threat intelligence,
it's one of these words that can mean a lot of things to different people.
So how do we package this, or how do we make it actionable?
One of the ways in which we do this is with the reports that you see.
We try to make an effort to make this understandable
to a lot of different audiences. Not just the technical people,
which of course they want to know the analysis,
the nitty-gritty details of the malware,
how it works.
But also to somebody like a CISO.
I talk to a lot of CISOs of organizations
that have maybe one or two security people.
That's it.
That's what I call the all-around defender.
The guy that has to wear a lot of hats
and secure the
endpoint, the servers, the cloud,
the network, everything, and more.
They do not have
the ability to have
a lot of people maybe doing threat hunting or things
like that. It sounds fascinating,
but the reality is that these guys are just
trying to put
out fires, trying to patch machines, trying to do instant response.
They don't have time for this.
But they all need to make decisions and prioritize,
where am I going to invest the little time I have
or the little money I have,
and how do I do this in a way that it's going to be meaningful
to my organization?
And that's where threat intelligence can help.
Threat intelligence has different tiers.
It could be operational or tactical at the bottom of that pyramid,
or it could be strategic.
And this type of strategic information could be in the form of
maybe a PowerPoint presentation.
For example, if this organization that we're discussing here,
a fictitious organization, contacts business in Asia,
there's so much interesting activity right now in Southeast Asia.
We're seeing a lot of attacks against countries like Singapore,
a lot of activity in Taiwan,
with actors that are very, you know, nations in the area
that are very interested in seeing what's happening in some of these countries,
not only with government agencies, but also with mining companies, telecommunications,
anybody that could have interesting information, right,
that a government might be interested in.
that could have interesting information, right? That a government might be interested in.
What could happen if there is, you know,
maybe an invasion of Taiwan in the near future?
How can that change the whole business outlook
for these organizations?
What's the activity that's happening right now?
How do we detect this?
This could be a presentation that could be for a CISO
that could translate this information
or present it to the
board on, look, based on our profile, this is what we should invest in more. This is what we should
be doing or stop doing. That's Ismael Valenzuela from BlackBerry. Joining me once again is Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, it's always great to welcome you back.
Hello, hello.
So, very interesting report you put out in a recent Cybersecurity 202 here.
You're really looking at Section 702 surveillance and reaching out to your network for insights on that.
Can we start off with some explanatory stuff here for folks who may not be familiar with it?
How do you describe Section 702?
Yeah, so it is a part of the 1978 Foreign Intelligence Surveillance Act.
It's always interesting how many of these laws that govern some of our modern digital rules are
dated back that far, although the Section 702 powers didn't get created until well after 9-11.
This is a part of the law that says that the U.S. intelligence community can conduct bulk, widespread surveillance on foreign targets, ostensibly originally for counterterrorism purposes, without an explicit warrant for each of those pieces of surveillance.
The reason it's controversial from the start was that you can target those foreign targets, but they might be communicating with
people in the United States.
And then after, there are ways for people in the security community, security government
community, to access or query those communications based on American identifiers.
So you get into some real privacy concerns there.
But what you also hear from the Biden administration, especially
with the Section 702 powers about
to expire at the end of this year,
that it is a very, very powerful tool.
It is perhaps their most powerful tool
in certain ways, and that
it is increasingly, mostly
being used to counter cybercrime.
Hmm.
So you reached out to
your network, folks who subscribe to the 202 for insights here, and you got some interesting responses.
our experts that we've decided to, when we do a poll, ask them a question and report on their results statistically,
but then also for those who are willing to offer an explicit on-the-record comment why they voted the way they did or why they took the answer they did. And in this case, there were three choices.
One was just reauthorize it as is.
Another was reauthorize it with changes. And another was don't reauthorize it as is. Another was reauthorize it with changes. And another was
don't reauthorize it. And in this case, the pretty significant majority, 64% said reauthorize it,
but make some changes. And then another 20% said reauthorize it. So that's a pretty significant
percentage. They're saying we need this power. And another complicator in getting this thing reauthorized is that Republicans have
taken issue with FISA overall, not this particular section, due to some negative reports about how
this was used to spy on the Trump campaign or a Trump campaign official. And actual audits were
saying, yeah, this is not, the way they did this was very faulty. So the gripes about FISA usage in this case seem quite legitimate.
So you have a combination of folk on the left and the right who don't like this Section 702.
But the people who are in the cyber field that are our readers and parts of our network are saying we need to keep this for the most part.
Can we go through the arguments here? I mean, for those who are saying that we want to reauthorize
and perhaps do so with changes versus those who are saying,
no, we should need to scrap this and start over.
Yeah, which is interesting because if you look at the percentage of people
who are the majority saying we need to reauthorize this with changes,
they don't have one answer,
which is another indicator of how difficult this is going to be.
We already mentioned the conflict on the left and right,
but people don't have a unified idea about the specific way in which we need to make changes.
So one of the stealth aspects of the survey result is that we see how more complicated this is going to be. So one example of a change that people have talked about is,
how more complicated this is going to be.
So one example of a change that people have talked about is,
we mentioned that issue of people being able to query Americans' data or access it indirectly through the sort of incidentally collected communications
that were targeting foreigners.
There's some suggestion that we need a warrant requirement for that,
for the American part of it.
Then there are issues related to the EU
and the data privacy situation we've got going with them.
They have had objections to the way 702 has been used in a bulk way
to collect information on people there.
That's another issue to consider.
There's also the fact that apparently,
we mentioned that American warrant requirement,
there's some concern from some of our folk
in the network pool who said,
actually, if you do that,
that's going to make the EU even more mad
because they're already mad
that we're treating them
as a sort of second-class target.
So that targeting part is a complicator.
On the side of people
who are in favor of renewing it,
they do cite the Biden administration arguments, which are, this is an extremely, extremely powerful tool.
It has saved lives on the counterterrorism side.
It's one of the reasons why we don't have anti-terror attacks all these days.
On the negative side, there are people who are saying, it's just too much privacy violation.
It's unconstitutional, fundamentally.
The range of opinions was really fascinating.
Yeah.
How do you suppose this is going to play out?
As you mentioned, we've got until the end of the year to make something happen here.
Oh, God.
Why are you doing this to me, Dave?
I've covered Congress for so long, and it's always hard to predict what they're going to do.
And my default mode is always to say if there's something that they might do, they probably will not.
In this case, I think there's a chance.
You know, there have been times where they've sort of punted this kind of thing.
Oh, the deadline's coming up.
We weren't ready.
We'll just renew it for six more months.
And then they fight about it for a longer time.
And then, oh, we're not ready yet.
It was six more months.
And then eventually they'll come around to something permanently.
I think that there's room for compromise here.
The issue is how much of it the administration will accept.
I mentioned that American warrant requirement, American citizen warrant requirement.
The administration says that's not workable.
It won't work.
At some point, maybe they might come to a compromise in Congress, but will the administration buy it?
And if they don't, obviously there's veto authority.
So it's a tough one.
There are times where I feel confident that I think I know how things are going to go.
I don't feel good about this one.
I have no clue, honestly.
Fair enough.
What do you think?
Where's it going to go?
What do you think?
Well, we're out of time, Tim.
I gotta go. What do you think?
Well, we're out of time, Tim.
Tim Starks is the author of the Cybersecurity
202 at the Washington Post.
Tim, always a pleasure. It was
a pleasure until the end, Dave.
I'll talk to you next time. Later. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.