CyberWire Daily - A look at Iran’s MERCURY APT. Updates on Russia's hybrid war, including some apparent leaks and some apparent doxing. And notes on cloud security trends.
Episode Date: April 10, 2023An Iranian APT MERCURY exploits known vulnerabilities. The US investigates apparent leaks of classified information about Russia's war against Ukraine. KillNet claims it has paralyzed NATO websites. M...ore apparent doxing of the GRU. Britta Glade and Monica Koshgarian of RSA Conference talking about content curation. Grayson Milbourne from OpenText Cybersecurity hopes to remove shame from cyber attacks. And, finally, some notes on cloud security trends. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/68 Selected reading. MERCURY and DEV-1084: Destructive attack on hybrid environment (Microsoft Threat Intelligence) Leaked US battlefield intelligence on Ukraine is fake, says Kyiv (The Telegraph) Russia Claims Leaked Pentagon Intelligence on Ukraine is U.S. Disinformation (US News and World Report) Leaked US secret NATO-Ukraine war docs likely altered, say experts (SC Media) Ukraine’s air defences could soon run out of missiles, apparent Pentagon leak suggests (the Guardian) Russia nearly shot down British spy plane near Ukraine, leaked document says (Washington Post) Justice Dept. will investigate leak of classified Pentagon documents (Washington Post) US investigating whether Ukraine war documents were leaked (Military Times) U.S. Reviewing Online Appearance Of Sensitive Documents Related To Ukraine, Pentagon Says (RadioFreeEurope/RadioLiberty) WSJ News Exclusive | Pentagon Investigates More Social-Media Posts Purporting to Include Secret U.S. Documents (Wall Street Journal) New Details on Intelligence Leak Show It Circulated for Weeks Before Raising Alarm (Wall Street Journal) Intelligence leak exposes U.S. spying on adversaries and allies (Washington Post) Secret US Documents on Ukraine War Plan Spill Onto Internet: Report (SecurityWeek) US hit by ‘worst leak of secret documents since Edward Snowden’ (The Telegraph) Ukraine at D+410: Static, sanguinary lines. (CyberWire) Report Finds 90% of IT Professionals Have Experienced a Cybersecurity Breach (Skyhigh Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An Iranian APT Mercury exploits known vulnerabilities.
The U.S. investigates apparent leaks of classified information about Russia's war against Ukraine.
Killnet claims it's paralyzed NATO websites.
More apparent doxing of the GRU.
Britta Glade and Monika Koshgarian of RSA Conference talk about content curation.
Grayson Milbourne from OpenText Cybersecurity
hopes to remove shame from cyber attacks.
And finally, some notes on cloud security trends.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 10th, 2023.
Microsoft Threat Intelligence described Friday how Mercury, an Iranian government-linked cyber threat actor, has begun working with an unidentified organization Microsoft calls Dev1084.
The two groups seem to be conducting pseudo-ransomware attacks and then destroying the data they were supposed to be ransoming.
So the incidents amount to wiper attacks. The groups have gained access to on-site resources
as well as cloud environments that allowed them to wreak extensive damage to the target's
infrastructure. Microsoft assesses that the threat actors attempted several times and succeeded to
perform initial intrusion
leveraging exposed vulnerable applications, for example, continuing to exploit log4j2
vulnerabilities in unpatched systems in July 2022. After access was gained, the actors used
Windows native tools to develop the network in an attempt to remain undetected. Microsoft writes,
Mercury likely exploited known vulnerabilities in unpatched applications for initial access
before handing off access to Dev1084 to perform extensive reconnaissance and discovery,
establish persistence, and move laterally throughout the network,
oftentimes waiting weeks and sometimes months
before progressing to the next stage.
The time frame across which this operation took place
shows the persistence of these groups,
while the lack of clear financial gain from this kind of attack
seems to indicate that the main goal was denial of service
and data destruction.
Microsoft says,
Dev.1084 was then later observed leveraging
highly privileged compromised credentials to perform en masse destruction of resources,
including server farms, virtual machines, storage accounts, and virtual networks,
and send emails to internal and external recipients. The attacks would therefore seem to involve sabotage,
collection, and battle space preparation.
And we note, as always, in full disclosure,
that Microsoft is a CyberWire partner.
The U.S. Department of Defense and Department of Justice
are both investigating an apparent leak of classified information
concerning the war in Ukraine.
Neither department is providing much in the way of information on the investigations,
which are ongoing. The material appeared last week in Russian social media channels,
although at least some of it may have been in low-key circulation in fringe sites for some
weeks. The Wall Street Journal reports that it began among a small group of posters on
a messaging channel that trafficked in memes, jokes, and racist talk. The story is still
developing, and the authenticity of the documents remains in dispute. Ukraine characterized them as
Russian disinformation, the Telegraph reports. U.S. News describes the Russian reaction, which is to publicly denounce
the leaks as U.S. disinformation designed to peddle a false story of Ukrainian unreadiness,
designed to lull Russian forces into a false sense of security. And, citing analysts at Mandiant,
SC reports reasons for thinking that the leaked files, whatever their source, have been altered in the Russian interest.
Altered or not, the Pentagon is treating them as apparently genuine, officials tell the Washington Post.
Some reports have said they include war planning, but this seems not to be the case.
The Russian cyber-auxiliary Kilnet claimed it had conducted a massive attack on NATO infrastructure this weekend.
It claimed responsibility for alleged DDoS attacks on various organizations in the energy grid on its Telegram page today.
Along with the DDoS attack, it also published a list of usernames and passwords for two NATO commands on its website.
passwords for two NATO commands on its website. Kilnett wrote, the personnel are using super secret passwords, the incredibly complex 123456 and the more complex 12345678. If the passwords
are legitimate, it shows that at least two people didn't take their cyber awareness training
seriously enough. And as if that wasn't enough,
a Killnet member also posted an image of an unnamed news source
explaining that Killnet had signed 150 unnamed NATO personnel up
for various dating websites in Ukraine and Moldova.
The image looks bogus, so interpret it simply as a claim by Killnet.
The affected NATO infrastructure appears to be a NATO school,
an instructional facility in southern Germany,
and not any operational or high-level administrative organization.
The school's website has been up and down this morning.
The Ukrainian hacktivist group InformNapalm has released more information on Lieutenant Colonel Sergei Alexandrovich Morgachev,
the GRU officer believed to lead Russia's APT-28, known as Fancy Bear,
consisting of officers of the 85th Main Special Service Center of the GRU, Military Unit 26165.
military unit 26165. The group states, Ukrainian hacktivists from the cyber resistance team handed over a complete dump of Morgachev's correspondence and personal files for publication so that all
interested parties from the FBI to journalists, experts, and members of the public could
independently investigate the facts set forth in this publication and find other information that And finally, Sky High Security this morning released its study,
the Data Dilemma Cloud Adoption and Risk Report, which highlights challenges in cloud data security.
The report found that 90% of organizations have experienced at least one cybersecurity breach.
The report also found a rapid increase in cloud adoption,
with use of public cloud services increased to about 50% between 2019 and 2022.
26% of respondents have been found to have a distrust for private cloud providers,
compared to 9% in 2019.
private cloud providers compared to 9% in 2019. Shadow IT, or employee-commissioned cloud services without IT approval or involvement, has seen a reported 25% increase from 50% in 2019 to 75%
in 2022. The report also shares that cloud access security brokers are used by 42% of organizations surveyed,
while secure web gateways are used by 28% of organizations.
Radman Ramazanian, global cloud threat lead at Skyhigh Security, said,
Today, data is everywhere, traversing devices, cloud applications, the web, and infrastructure.
So it comes as no surprise that one of the biggest challenges organizations face
is securing their vital data.
Coming up after the break,
Britta Glade and Monika Koshgarian
of RSA Conference
talk about content creation.
Grayson Milbourne
from OpenText Cybersecurity
hopes to remove shame from cyber attacks.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Thank you. reached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
We are merely two weeks away from the annual RSA conference, where security professionals from all over the world
will be descending upon San Francisco
to catch up on the latest
and spend time with friends and colleagues.
The Cyber Wire is an RSA media partner,
and for behind-the-scenes insights
on how the conference plans and organizes
hundreds of sessions, meetings, and learning opportunities,
I spoke with Britta Glade,
Vice President of Content and Curation at RSA Conference, and Monica Koshgarian, Program Director for the eFraud
Global Forum. Britta Glade starts us off. So RSA Conference has over 500 sessions that are
published and publicly available for our attendees. They range from small group birds of a feather type sessions
to large group keynote to everything in between, as well as some very interesting closed door
Chatham House Rule invitation-based sessions for specific audiences. And we work with an extensive
program committee. Gosh, we have over 150 different people who are involved in, domain experts who are involved
in the individual specific programs to really look at submissions that come in, as well
as what belongs on the stage at RSA Conference.
And those folks debate and discuss and battle it out for what the final sessions will be that appear on the RSA Conference. And those folks, you know, debate and discuss and battle it out for
what the final sessions will be that appear on the RSA Conference stage. Well, Monica, I know you
head up the e-fraud program there. Can you take us into some of the things that you'll be offering
up this year when it comes to that? Oh, absolutely. Yeah. So I just wanted to clarify. So EFG is closed door invitation only.
So we very closely monitor who is in the room. And the reason why that's important is because
everything that we do is under Chatham House rule. And again, the reason why that's important is
because we want to create an environment where there's a lot of open and candid conversations
between the participants. So it's not only learning from experts, but I always say we also learn from each other.
Everybody in that room is an expert on something.
And everybody in the room really is a practitioner.
And it's at a level of vice president, director or above.
So they are fraud prevention, fraud detection leaders from all over the world.
And they're there to really exchange best practices with each other. So everything that we do from a
content perspective is very much what do they see in their day-to-day environment? What is it that
are the key challenges? What are the key solutions?
We stay away from vendor sponsorships or vendor discussion.
And we really talk about what works and what doesn't work, best practices.
So most of the agenda is either panel conversations or presentations that take place in front of the audience.
And our audience is fairly small.
We target about 125 to 140 fraud leaders.
And a lot of interaction.
It is designed to be very, very conversational.
Again, we want to hear what works for everybody else so that we can learn from each other.
Our goal from every single one of our sessions, whether it's to the entire audience, 140 people, or in the breakout sessions, we also
have these elective sessions that they can choose one of four sessions, both in the morning and the
afternoon. And all of them are designed to give everybody the ability to walk away with a lesson
learned, something that they have learned
that they can then implement in their own environments to be better fraud fighters.
Now, in terms of people being able to put this on their schedules, is this exclusively happening
at the RSA conference or are there opportunities beyond that as well? Yeah, the key event for EFG
does take place during RSA
Conference, and that takes place on Tuesday of RSA Conference. And it's a whole day. It's
basically we start early, 7.15, we kick off the day with a networking breakfast, and we end late.
We work until about six o'clock. There's a lot of interaction, a lot of conversation. It's hard
work, but it's also very, very, it's fun. It's
educational. Again, it does because it is a community and that's a really important point.
This is the fraud leaders from all over the world that behave and come together as a community to
learn from each other. The other thing I will insert here that is super valuable. As Monica said, super tight-knit group, wonderful
community here that also recognizes the importance of the entire RSA conference community benefiting
from these conversations, benefiting from this knowledge. So while this event takes place at
conference under closed doors, we have a fraud prevention track that's part of the public
RSA conference proceedings that many of these same folks help make the selections of what goes there.
We've blended and threaded elements from that closed door, highly confidential conversation
into what benefits the group at large. This is done for this fraud community, as Monica's talking about.
We also have another program called
ICSF, International Cybersecurity Forum,
which these are the lead folks
that make cyber decisions for governments across the globe.
And then we also have programming specific for CISOs.
We have one ESAF for Fortune 1000 CISOs,
and then we have our CISO bootcamp for emerging CISOs. We have one ESAF for Fortune 1000 CISOs, and then we have our CISO bootcamp for emerging
CISOs. So our RSA conference has tried to be very, very deliberate with nurturing some of these key
audiences and providing these high-value, closed-door, highly trusted environments,
and then also taking learnings from that, benefit that key conversations and putting it in our public-facing programming. So it's a very dynamic process.
sort that out and plan their schedule to be able to balance out attending the sessions they want to see, but then also having time for some of the other things, being on the show floor,
the other sessions that there are. Any words of wisdom there? Yeah, super important question where,
you know, plan ahead, right? So if you go to the website, there's several different filters
that are available to you. You can filter by topics and tracks. You can filter by
level of session, meaning general, intermediate, advanced. There's some that you can look at,
what's a hands-on kind of a thing, i.e. the lab environment, the sandbox experiences,
versus a traditional presentation. So I would spend some time, know what's of interest to you,
spend some time on the website, plot some things out, reserve a seat if it's something that's super, super important to you. And then, you know, do
block out that time for the expo floor, block out the time for networking. Again, that's the power
of getting together physically. We all had certainly reinforced to us even more during
the pandemic time. You know, face-to-face communication and conversation is important.
So have an attack plan, look through the site
and plan some sessions of value to you.
And wear comfortable shoes.
Wear comfortable shoes and hydrate, yes.
That's Britta Glade and Monica Koshgarian
from RSA Conference.
And I'm pleased to be joined once again by Grayson Milbourne.
He is the Security Intelligence Director at Open Tech Security Solutions.
Grayson, it's always great to welcome you back. You know, I think there's a saying that I hear bandied around a lot, and that's don't blame the victim. And I want to get your take on that
when it comes to cyber attacks, because, you know, so many times I think it's easy to have
that reflex, but we got to resist that. Yeah,. Yeah, I think I like that saying of don't blame
the victim, but I don't know that it holds as true when we think about cyber attacks impacting
large companies and small companies together. I know certainly companies themselves look at
being a victim of an attack as something that they're somewhat shameful of. And I think that
has a lot of consequences in today's threat ecosystem,
particularly with ransomware and the ability for government agencies
and law enforcement to understand the real biggest threat
and to use their resources to go after and disrupt this kind of plague
on digital business today.
Is there a middle ground here?
I mean, I'm thinking of, you know, so many
organizations, if they get hit by some kind of attack or breach, that the first thing you'll
hear from them is, you know, we got hit by sophisticated actors or the nation state
attacker. There was nothing we could have done. And I think that's often, you know, a bit overstated.
Yeah, I mean, I definitely think there are a lot of attacks, you know, are definitely
of opportunity, and it's not necessarily a zero day or some, you know, very novel exploit that
was used to compromise. You know, we do see that perhaps more on like the larger compromises,
you know, things that typically make the news. But these are, you know, that's a far outlier
compared to, I think, the meat of the problem that focuses on much smaller businesses.
And I think what happens there is that businesses don't want to suffer the consequences of a breach beyond just what happens to their data, but to their customer relationships, to the confidence in their business, of their customers and of their partners.
of their customers and of their partners.
And this is why I think ransomware continues to be so successful,
is that the majority of people who get hit,
especially in the small and medium business space,
end up paying because it's the fastest way to get back to business as usual.
And the unfortunate reality of that is it only further motivates cybercriminals to participate in this type of attack. And then
again, if you don't share your experience, attribution is more difficult, and others
then make the same mistake that you've made. Or in the case that it is, perhaps you're using
out-of-date software that was exposed to the internet and there was a known vulnerability.
This is one of the most common things we actually see here are widely used tools that are accessible to the internet,
but then a vulnerability is discovered.
And I'm just trying, it's skipping my mind at the moment,
but there was one just released this last week
for, what is it, masterminds?
In any event, several thousand internet-connected environments.
I think they found already 7,000 that were vulnerable to some new type of attack.
And so it's not necessarily always your fault, but being aware of how attacks are happening and being mindful of these things can enable you to take the right steps to prevent an easy access type of breach.
Do you have any advice in terms of the sharing itself? I mean,
who should you be reaching out to? Who are the important people to share that information with?
Yeah. So CISA, the government agency, C-I-S-A, but they like to call it CISA,
is a great place not only just for information about best practices and bulletins to the effect
of recent cyber criminal activity and things to be on the lookout for, but they also have a way
that you can share your experience. And if you are dealing with a threat actor, ransomware,
they have some resources they can assist you with. And even if you ended up paying,
letting them know that you are a victim still allows them to attribute the volume of attacks based on different threat actors.
And I think this is really one of the blind spots that we have today is that we only have what
people are willing to tell us. And also some from what we see from our detections and preventions
and environments. But we know a lot of businesses are not disclosing this. And we see that in
several ways through surveys.
And ultimately, the continued plight of ransomware
and what it's doing to digital business.
And so what I would love to see is for businesses
and for consumers as well,
because I think this is partially a consumer-based problem
in that when a vendor gets breached
and your data gets lost,
we often look upon that negatively.
And rightfully so in some cases where if the vendor was breached and your data gets lost, we often look upon that negatively. And rightfully so in some cases
where if the vendor was breached six months ago
and you're just now telling me about it,
that's a disservice to myself.
And so I think there's two things
that have to go into the solution.
And one is sort of de-shamifying incidents
that the businesses suffer,
especially with due diligence
has been taken into consideration.
But two is there needs to be better transparency
in acknowledging when these incidents happen
to the most impacted people, which are your customers and their data.
Because those are the people who suffer.
And we've seen, actually, law enforcement punishing businesses
who are not as transparent as they should be.
And most recently, we saw this with Uber.
And Uber has, again, a long history of these cybersecurity incidents that they've downplayed
at the cost of the customer's data that they've lost.
And so I think improving that relationship will improve the amount of trust, and we can
then start looking at cybercrime and ransomware, these types of attacks
as something that impacts all of us and not just those who are unlucky or ill-prepared.
Yeah. All right. Well, interesting insights. Grayson Milbourne, thanks for joining us. Thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the
Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Talk. I join Jason
and Brian on their show for a lively discussion of the latest security news every week. You can
find Grumpy Old Geeks where all the fine podcasts are listed. The Cyber Wire podcast is a production
of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.