CyberWire Daily - A look at the SideWinder APT. GoAnywhere vulnerability exploited in the wild. Ransomware rampant. Hacktivism in Russia’s hybrid war. Patch Tuesday notes.
Episode Date: February 15, 2023SideWinder is an APT with possible origins in India. MortalKombat ransomware debuts. The GoAnywhere zero day was exploited in a data breach. Belarusian Cyber-Partisans release Russian data. Betsy Carm...elite from Booz Allen Hamilton shares an overview of cyber deception. Our guest is Ashley Allocca from Flashpoint with a look at the Breaches and Malware Threat Landscape. And notes on Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/31 Selected reading. Molted skin: APT SideWinder 2021 campaign that targeted over 60 companies in the Asia-Pacific (Group-IB) New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign (Cisco Talos Blog) Tonga is the latest Pacific Island nation hit with ransomware (The Record from Recorded Future News) LockBit demanded £66mn from Royal Mail (Computing) City of Oakland declares state of emergency after ransomware attack (BleepingComputer) City of Oakland Targeted by Ransomware Attack, Work Continues to Secure and Restore Services Safely (City of Oakland) Huge data dump from Russia’s censorship agency posted online (Cybersecurity Connect) Russian system to scan internet for undesired content and dissent (Reuters) Patch Tuesday: Three zero-days and nine 'Critical' RCE flaws fixed (Computing) Microsoft February 2023 Patch Tuesday fixes 3 exploited zero-days, 77 flaws (BleepingComputer) Apple Releases Security Updates for Multiple Products (CISA) SAP Security Patch Day for February 2023 (Onapsis) Citrix Releases Security Updates for Workspace Apps, Virtual Apps and Desktops (CISA) Adobe Releases Security Updates for Multiple Products (CISA) The first national cyber director's last day is today (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Sidewinder is an APT with possible origins in India.
Mortal Kombat ransomware debuts.
The go-anywhere zero-day was exploited in a data breach.
Belarusian cyberpartisans release Russian data.
Betsy Carmelite from Booz Allen Hamilton shares an overview of cyberdeception.
Our guest is Ashley Alaka from Flashpoint with a look at the breaches and malware threat landscape.
And notes on Patch Tuesday.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 15th,
2023. Group IB this morning released a report detailing the activity of a nation-state threat actor dubbed Sidewinder. The Sidewinder APT, known also by the names Rattlesnake, Hardcore Nationalist,
and T-APT4, has been observed since 2012 conducting cyber espionage against governments
in the Asia-Pacific region. It's believed to be headquartered in India. Group IB
discovered the group's Sidewinder.Antibot.Script tool in June of last year in use against Pakistani
companies. The researchers were able to piece together a list of potential targets for the group
containing 61 government, military, financial, law enforcement, political, telecommunications,
and media organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.
The researchers note that there's significant overlap between what Sidewinder has been up to
and the past capers for the Baby Elephant APT, and that overlaps enough for them to think that the two groups may be one and
the same. Cisco Talos has been tracking an unidentified financially motivated threat actor
that's using a new strain of ransomware called Mortal Kombat, as well as the Lapless Clipper
malware. The threat actor is delivering both strains of malware via cryptocurrency-themed
phishing emails.
Lapless Clipper is designed to monitor an infected system's clipboard for cryptocurrency wallet addresses, then hijack transactions by overriding them with an address belonging to
the attacker. Lapless was first observed in November 2022, while the Mortal Kombat ransomware
first surfaced last month. The researchers believe
Mortal Kombat belongs to the Zorist ransomware family. Bleeping Computer reports that Community
Health System says it's been the victim of a data breach compromising the personal and health
information of up to one million patients. The breach was one in a recent wave of attacks exploiting a
zero-day vulnerability in Fortra's Go Anywhere MFT software. The provider reports no belief
that there's been impact on their systems, saying in an SEC filing that there also has not been any
material interruption of the company's business operations, including the delivery of patient care. The CLOP
gang, which has claimed responsibility for these attacks, is generally believed to be linked to
criminal threat actor TA-505. TA-505 has been observed using CLOP ransomware in the past.
Ransomware can have and is having serious effects on its victims. Smaller nations can find themselves struggling when key sectors are taken down.
The Pacific Island nation of Tonga, for one, is currently grappling with a ransomware attack, the record reports.
Tonga Communications Corporation, one of two telecoms companies in the Polynesian country,
warned customers that they might experience slowdowns
in service. TCC wrote, ransomware attack has been confirmed to encrypt and lock access to part of
TCC's system. This does not affect voice and internet service delivery to the customers.
However, it may slow down the process of connecting new customers, delivering of bills,
and managing customers' inquiries.
We are working with security companies to mitigate the negative impact of this malware.
Tonga's 171 islands are home to about 100,000 people, and they obviously depend on their
telecoms. In the UK, according to Computing, Lockbit has upped the ante in its extortion of Royal Mail.
The gang is now demanding £66 million. Royal Mail says that's outrageous and it won't pay.
And in the U.S., the city of Oakland, California has declared a state of emergency over its own
ransomware attack. The city announced yesterday that interim city administrator G. Harold Duffy issued a local state of emergency due to the ongoing impacts of the network outages resulting from the ransomware attack that began on Wednesday, February 8th.
Oakland continues to experience a network outage that has left several non-emergency systems, including phone lines, within the city of Oakland impacted or offline.
emergency systems, including phone lines, within the city of Oakland impacted or offline.
The city appeals for patience and cooperation and says it's taking steps to get the help it needs to recover. Turning to the cyber phases of Russia's hybrid war against Ukraine,
the Belarusian cyber partisans, dissident hacktivists opposed to both the Lukashenko regime in Belarus and to Russia's war against Ukraine
have released a 335 gigabyte dump of emails and other files
obtained from Roskomnadzor's General Radio Frequency Center division.
Cybersecurity Connect reports that the hacktivists claimed credit in a Twitter thread
and promised that more was to come.
They stated,
Twitter thread and promised that more was to come. They stated, do you want to know who in Raskamnadzor was preparing reports on protests in Ukraine and Kazakhstan for the leadership of the
Kremlin? We publish these reports and contact info of the RKN employees in our TG channel.
The data obtained from Raskamnadzor were posted to distributed denial of secrets.
from Roskomnadzor were posted to distributed denial of secrets. Roskomnadzor is the Russian Internet Governance Authority. It's recently been involved with working to scrub derogatory
references to President Putin. The Kyiv Independent reports that the agency is using AI tools to
combat memes that portray Mr. Putin in less than favorable light. Reuters describes Oculus, one of the principal
systems Roskam-Nadzor is deploying to identify dissent and shoo away trolls. Reuters states,
the Oculus system will be able to read text and recognize illegal scenes in photos and videos,
analyzing more than 200,000 images per day at a rate of about three seconds per image, the Interfax
news agency reported. Patch Tuesday, of course, was observed yesterday. This month's patches saw
fixes from Microsoft, Apple, SAP, Citrix, Mozilla, and Adobe. Microsoft issued patches for 77 flaws,
including three zero days that were being actively exploited in the wild,
bleeping computer reports. The zero days affect the Windows graphics component,
Microsoft Publisher, and the Windows Common Log File System driver. Apple has issued an emergency
patch for a vulnerability affecting iOS, iPadOS, and macOS, Tom's Guide reports. The vulnerability affects WebKit
and can lead to remote code execution on the device
if the user visits a malicious web page.
Apple says it's aware of a report
that this issue may have been actively exploited.
Adobe has fixed vulnerabilities affecting Photoshop,
Illustrator, and After Effects, Security Week reports.
The company stated,
this update addresses critical security vulnerabilities. Successful exploitation
could lead to arbitrary code execution in the context of the current user.
Citrix has patched four high-severity vulnerabilities affecting Citrix workspace
apps, virtual apps, and desktops, according to CISA. Mozilla has released several security patches for Firefox 110 and Firefox ESR 102.8.
SAP has issued 26 fixes, including one for a vulnerability that could allow an authenticated non-admin user
with local access to a server port assigned to the SAP host agent service,
to submit a specially crafted web service request with an arbitrary operating system command.
As always, check your systems, and as CISA would put it, update per vendor instructions.
And finally, today is the last day in office of Chris Inglis, the first U.S. Cyber Director. It was a fitting milestone in a long and distinguished career that took him from NSA to the Executive Office of the President.
He created and filled the new role to widespread respect and bipartisan approval.
Thank you for your service, Mr. Inglis, and our best wishes for you as you embark on the next stage of your life.
Coming up after the break, Betsy Carmelite from Booz Allen Hamilton shares an overview of cyber deception. Our guest is Ashley Alaka from Flashpoint with a look at the breaches
and malware threat landscape. Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Security firm Flashpoint recently released their 2022 Breaches and Malware Threat Landscape Report,
tracking the most targeted sectors and geographic areas.
Ashley Alaka is an intelligence analyst at Flashpoint.
Ashley Alaka is an intelligence analyst at Flashpoint.
So this year, our top targeted sectors that we saw were government, financial, and retail. And we describe government as any sort of data set that might include government-issued IDs,
you know, driver's license, passports, but that certainly also includes databases or certain
data sets from government departments, local governments, foreign ministries. So consistently,
those types of data sets are pretty profitable within these illicit communities. Financial and
retail, those are also heavily targeted because of their financial information, obviously.
Credit card information, other financial data applications that are known to be vulnerable.
And from there, you can, the threat actors hope is to scrape sensitive information like financial data, but some of these accesses allow actors to actually get in there and change payment information
so they can receive payments from customers.
They might be able to change content on the website.
So year over year, we see these emerge as popular sectors
just because of even solely the financial payoff that they have for these actors.
I see. So in terms of the geographic distribution of the folks who are being targeted here,
what are you tracking there? So the United States pretty consistently is the top targeted region.
It's also important to note that a lot of the communities we take a
look at are English speaking, or at least the ones that we take a look at for this report. So that
certainly could inform why the United States is one of the top targeted regions. We also do see
certain chatter where actors prefer, especially those seeking out financial information,
prefer to target the United States, certain parts of Europe for financial information.
So it's sort of just, you know, it's somewhat informed by our collections. And we also see
discussion as to why the United States might be of particular interest to specific
actors. With tax season coming up, it's always like high season for actors targeting the United
States, especially those that are financially motivated. So we pretty consistently see
specific reasons why an actor might be interested in targeting the United States.
specific reasons why an actor might be interested in targeting the United States.
So overall, we see the U.S. as one of the top targeted regions.
Yeah. As you make your way through the data, was there anything unexpected or surprising,
anything that caught your eye from that point of view? You know, it's always interesting to see how the language of some of these advertisements and posts change.
From my perspective, something important that I like to take a look at while I'm doing this report
is how can I assess an actor's credibility? This report, we put it out on a weekly cadence,
and then obviously it informs the annual report
but we like to try to do as best as we can our credibility assessment along with the data that
we're posting about so something interesting that I've we've seen this year when trying to assess
actors credibility is that they'll use an intermediary. And that is becoming more and more popular in these postings.
So while it helps the actor, I guess, prove that they are credible
because they're willing to use some sort of middleman service,
it also helps us take a look at this actor possibly is more credible
because they are willing to use some sort of intermediary
when facilitating a transaction. We see a lot of actors share Telegram handles or tox IDs, which indicates
to us that a lot of these transactions, while they may be happening on certain forums and
marketplaces, a lot of possibly the negotiation or maybe even the transaction itself is moving to other platforms
like Telegram. So it's pretty interesting to track those changes year over year. So it also helps us
decide or prompts us to take a look at those for next year's reporting.
So based on the information that you all have gathered here, what are your recommendations
for the folks who are out there defending their organizations? What are the take-home lessons here?
So we always try to plug, you know, multi-factor authentication. A lot of these data sets,
you know, social engineering is, and phishing attacks are like some of the top
vectors used by actors, you know, it's kind of like low level stuff to initially infiltrate some sort of system so make sure you're using some sort of multi-factor
authentication we're also taking a look at um some actors i think i mentioned this will uh some
actors are kind of hesitant to say how they got their information. Some actors will freely share it. We see a decent
amount of posts of actors saying that, you know, they got this data set because they were
opportunistically scraping some sort of exposed storage bucket for a specific cloud service
provider. So make sure that you're configuring your storage objects as best as you can and not just leaving default settings.
You know, actors will opportunistically target these resources to scrape this data that you
might not realize is publicly exposed to the internet.
Additionally, implementing some sort of consistent patching cycle is key.
Actors will commonly exploit disclosed, preying on the fact that
their victims possibly have not yet updated their systems at all. So getting out in front
of some sort of patching cycle is really keyite. She's a principal at Booz Allen Hamilton.
Betsy, it is always great to welcome you back to the show. I want to talk today about this whole
notion of cyber deception with you.
I know this is something you and your colleagues keep an eye on.
Can we start off with just some basics here?
When we say cyber deception, what do we mean?
Yeah, thanks, Dave.
So in simple terms, we are taking a page out of the malicious actors playbook to use strategies that enable faster detection and faster intelligence
collection. But it is so much more. So really it's at its core, a proactive cyber defense methodology
and it puts the defender in the driver's seat. It enables defenders to lead the attacker
and then gather intelligence about the adversary's tools, methods, and behaviors
through a system of honeypots, lures, tripwires, and other technologies as you deploy them.
And it's also a strategy that cyber professionals use to gain the upper hand in operations
against attackers, ultimately decreasing dwell time.
And it allows them to obtain valuable cyber threat intelligence to mitigate data loss.
Well, it sounds to me like the folks who do this,
they benefit from getting a lot of data, as you say, on their potential adversaries.
Are there other parties who benefit here from going at this this way?
Yeah, that's right.
I would say you're a good candidate to deploy cyber deception strategies
if you have existing cybersecurity solutions,
such as EDR tools,
endpoint detection and response tools,
advanced security operation centers, SOCs,
and systems that require high-fidelity alerting,
so systems that are finely tuned
in terms of alerts and have properly configured rules. Also, teams with threat intelligence
capabilities that can conduct analysis, produce reports, and shape security postures are helpful.
And so we're really looking at more mature security operations. And the methodology
requires a team with resources to address alerts in a timely manner. So we're looking at
a recommended strategy that would probably require a dedicated team. So we might not even recommend
this for a large enterprise environment if it doesn't have that team because you need to manage the deception, right?
Deception can get pretty tricky in general in the kinetic world, as we say, but later on, you know, the interplay and engagement in the cyber domain and it gets really tricky and you need some eyes on it.
What are your recommendations in terms of deployment?
You know, what are some of the options that folks have for going at this?
Yeah, so a few topics here. So back to the resource need. Staffing a highly skilled and
experienced team with those who have worked in blue team or red team environments is key.
worked in blue team or red team environments is key. So that training and experience helps these teams deploy high interaction decoys and other services that will entice the threat actors.
And for an even stronger approach, having logging and alerting solutions that help the team respond
to those tripwires in a timely manner will make all the
difference. So really you have to be there and know where to respond quickly to gather the
intelligence. And then on the technology front, as I mentioned before, honeypots, breadcrumbs, lures,
canary tokens, which are resources monitored for access. So that could be like an API key or a file.
So once those are accessed, an alert is triggered.
All of those are crucial tools to trip those high-fidelity alerts
to identify threat actor activity.
And how do folks typically come at this?
Are we talking about developing something like this in-house,
or do I engage with the vendor?
Is there a spectrum in between those two things?
Yeah, I think those are the two ways we've seen this deployed.
So at its core, the deception tactics work by simulating critical infrastructures, services, and configurations,
so that you get an attacker interacting with those false IT assets.
So there are commercially available products out there,
or you can develop your own approach
and use in-house skills.
So a couple of recommendations.
If you're using a commercially available product,
it's critically important to start with a plan that considers what comes with that product.
Take time to fully know it.
Establish what you can do and can't do with it.
And then if you're going to do an initial pilot, then prioritize a strategy around your high-value assets if your organization really isn't ready for a full enterprise deployment.
It's really key to understand where within your environment stakeholders are comfortable using
these products because if your leadership is not comfortable with a full robust deception strategy,
consider possibly at least ceding false administrative credentials to defend against that common threat vector.
If you don't want to use a commercially available product, the deployment plan would include similar preparation around knowing what you're getting into and who's comfortable with it.
But you'd replace the product with in-house experience and tools.
the product with in-house experience and tools. And so you would develop your own servers,
services, shares in a manner that would be enticing to an attacker while still being able to alert immediately when they are triggered or interrogated. You'd need to deploy and manage
multiple sensors to feed back to an operations center. And then finally, back to the resources, train
and enable those network defenders to be able to respond in a timely manner.
So there's a lot to it, but it seems like it's achievable for the organizations for
whom it would be appropriate. That's right. And again, we're talking about those more sophisticated,
That's right. And again, we're talking about those more sophisticated, highly funded and probably have a lot of security investments around their security operations.
Yeah. All right. Well, Betsy Carmelite, thanks for joining us.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz
Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot
Peltzman. The show was written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.