CyberWire Daily - A phishing campaign poses as USAID. APTs exploit unpatched Pulse Secure and Fortinet instances. Healthcare organizations continue recovery from ransomware. A look at Criminal2Criminal markets.
Episode Date: May 28, 2021A phishing campaign this week appears to be the work of Russia’s SVR. Chinese government threat actors continue to exploit unpatched Pulse Secure instances. FBI renews warnings about unpatched Forti...net appliances. Healthcare organizations still work to recover from ransomware. Rick Howard speaks with author Andy Greenberg on his book Sandworm. Ben Yelin weighs in on questions Senator Wyden has for the Pentagon. And a look at the criminal ransomware market, including the consultants who serve the extortionists. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/103 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A phishing campaign this week appears to be the work of Russia's SVR.
Chinese government threat actors continue to exploit unpatched pulse-secure instances.
The FBI renews warnings about unpatched Fortinet appliances.
Healthcare organizations still work to recover from ransomware.
Rick Howard speaks with author Andy Greenberg on his book Sandworm.
Ben Yellen weighs in on questions Senator Wyden has for the Pentagon.
And a look at the criminal ransomware market,
including the consultants who serve the extortionists.
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary for Friday, May 28th, 2021.
The week ends with more stories of cyber espionage. Microsoft yesterday announced its discovery of a new campaign by the Russian
threat actor Redmond Calls Nobelium, which is the group others know as Cozy Bear. By general
consensus, it is associated with both Russia's SVR and the SolarWinds compromise. Nobelium this
week succeeded in compromising a constant contact email marketing service account
belonging to the U.S. State Department's internal assistance agency, USAID.
The threat actor then used that account to send convincing phishing emails
to more than 3,000 accounts at over 150 organizations.
The phish hook was a link that installed the native zone backdoor,
and Microsoft has provided technical details about the attack.
U.S. organizations were most heavily targeted,
but at least 23 other countries were also affected.
Veloxity, which has also been tracking Cozy Bear's new campaign,
points out that the fish bait in the emails was frequently election-themed.
Here's one representative
screamer, USAID special alert, Donald Trump has published new documents on election fraud.
Another is foreign threats to the 2020 U.S. federal elections, which seems like a cheeky
bit of fish bait for Cozy Bear to use as chum. Velexity doesn't claim to have any certainty
about who's behind the campaign,
but it does think the attack looks like the work of a known threat actor it has dealt with on
several previous occasions. It does cite four attributes that point toward APT-29, that is,
the SVR. The attackers use an archive file format with an LNK to deliver the initial payload. This technique was observed in
2018. They also used an election-themed lure that appears to come from a U.S. government source.
This has been seen since 2016. Cobalt Strike, with a custom malleable profile,
was used as an initial payload, as has been done since 2018. And finally, the scope and timing of the campaign looks like the familiar paw prints of a huggy
bear.
Many targets got the same phishing content at about the same time.
Chinese intelligence services have also been busy.
FireEye's Mandiant unit has followed up earlier research into Pulse VPN exploitation and concluded that the Beijing-linked threat actors UNC-2630 and UNC-2717
have introduced four new families of malware
and deployed these against economic verticals given priority in China's 14th five-year plan.
The cyber espionage is characterized as sophisticated and evasive
and as exhibiting an
intimate familiarity with the victim's networks. The four new strains of malware are Bloodmine,
a utility that parses Pulse Secure Connect log files and extracts information related to logins,
message IDs, and web requests. It then copies the data it obtains to another file.
web requests. It then copies the data it obtains to another file. Bloodbank, a credential theft utility that parses two files containing password hashes or plain text passwords and expects an
output file to be given at the command prompt. CleanPulse, a memory patching utility that may
be used to prevent certain log events from occurring. Researchers found CleanPulse in close proximity
to an Atrium web shell. And finally, RapidPulse, a web shell that's capable of arbitrary file read.
As other web shells so often do, RapidPulse exists as a modification to a legitimate PulseSecure file.
The attacker can use RapidPulse as an encrypted file downloader.
While some European organizations have been targeted,
the great majority of those affected have been in the United States.
The U.S. FBI yesterday warned that foreign actors were exploiting unpatched Fortinet VPNs
to compromise U.S. municipal governments.
Quote,
As of at least May 2021, an APT actor group almost certainly
exploited a FortiGate appliance to access a web server hosting the domain for a U.S. municipal
government. The APT actors likely created an account with the username Ellie to further enable
malicious activity on that network, end quote. Once they're in, the attackers can accomplish a number of unwelcome things.
Data exfiltration, further malware installation, data encryption, and so on.
Organizations that think they may have been affected should look for FTP transfers over
port 443 and unrecognized scheduled tasks, especially synchronized time zone.
This isn't the first warning the FBI or
CISA have issued about the risk of leaving Fortinet appliances unpatched, and we emphasize
that Fortinet has had a patch available for some time. Their first warning arrived on October 12th
of last year. The second was issued almost two months ago, on April 2nd. There's almost a touch
of weariness in yesterday's warning.
It's like, come on, people, how much more can we spell it out for you?
Tell his honor to have people patch the city's stuff, okay?
It's worth noting that local governments shouldn't presume
they enjoy immunity from the attentions of unfriendly foreign states.
BlackBerry puts the worldwide Conti ransomware victim count north of 400.
A lot of these have been health care or first responder targets, prominently Ireland's HSE,
New Zealand's Waikato DHB, and California's Scripps Health, all three of which continue
to work toward recovery. BlackBerry took a look at the free decryptor Conti operators offered in a
fit of either remorse or more probably fear of the attention from law enforcement that widespread
public odium would spur. BlackBerry concluded that the decryptor was indeed legitimate and not a
further scam, but lest one be inclined to credit Conti operators with a functioning conscience,
consider the comment
they provided News Hub about their infestation in Waikato. Quote, For last three days we tried
to contact them and we offered help with restoring the network. With our help they could restore it
for one day. Without our help they will have to rebuild their network from the beginning.
They decided to ignore us and torture their employees and patients. It is only their fault that DHB is still offline. They can't use their backups.
We deleted most of it, end quote. News Hub also reported that the Cancer Society's medical
director called the ransomware attack worse than COVID, which seems perhaps overheated,
but there's little doubt that disrupting networks in Waikato
has also disrupted the delivery of care.
In Ireland, officials now estimate that the total costs of the Conti attack on HSE
will probably exceed 100 million euros.
The dark side is another crew that's claimed to have gone dark,
but U.S. law enforcement authorities aren't counting on them keeping their word,
InfoSecurity magazine reports. If you take the gangs at their word, then,
hey, we've got a non-fungible token of a perpetual motion machine you may be interested in as an investment opportunity. And finally, the underground criminal economy is a complex one
that mirrors many aspects of legitimate markets.
Crooks have their consultants, just as legitimate businesses do, Gemini Advisory reports.
They squabble sometimes.
A dark web fight between our evil and a criminal middleman, a ransomware consultant,
has revealed some of the features of that market.
The consultant scouts victims to come up with recommendations for a ransom the victims are likely to pay
and also handles negotiations between the extortionists and the victims.
Sleazy, but still complex.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Rick Howard winds up his week-long series of interviews with highly respected authors of cybersecurity books, each one an inductee into the cybersecurity canon. Here's Rick with the latest.
We are at the end of Cybersecurity Canon Hall of Fame week here at the Cyber Wire.
I've been interviewing all the winning authors for this year, and our final interview is with Andy Greenberg, the author of Sandworm,
a new era of cyber war. I asked Andy what exactly is Sandworm? Sandworm is a group of Russian hackers
that since late 2015 or so have carried out what I think is the first full-blown cyber war. Starting in
Ukraine, they attacked pretty much every part of Ukrainian society with these data-destructive
attacks that hit media and the private sector and government agencies, and then ultimately
the electric utilities, causing the first ever blackouts triggered by cyber attacks.
Sandworm hit Ukraine's power grid
not once but twice in late 2015 and then again in late 2016. And then finally, this Ukrainian
cyber war that Sandworm was waging essentially in the middle of 2017 exploded out to the rest
of the world with this cyber attack called NotPetya. A worm, a self-propagating piece
of fake ransomware that was actually just a destructive attack that spread from Ukraine to
the rest of the world and took down a whole bunch of multinational companies, medical record systems,
and hospitals across the United States, and ultimately cost $10 billion in global damages,
the worst cyber attack in history by a good measure.
So the story of Sandworm is a detective story about the security researchers across the private
sector trying to track this group and figure out who they are and try to warn the world that this
Ukrainian cyber war was soon going to spill out and hit us too. And then that is exactly what happened.
And when that happens, the book kind of switches from a detective story to a disaster story.
And I track the effects of NatPetya across the world as it causes this wave of devastation.
I've been including Sandworm into a triad of recent must-read cybersecurity canon Hall of Fame books
that not only tells the history of the relatively new development
of continuous low-level cyber conflict between nation-states
from about 2010 until present,
but also attempts to explain the current thinking
of some of the key cyber power players
like Russia, China, the United States, Iran, and North Korea.
David Sanger's Hall of Fame book, Perfect Weapon,
covers the history and key thinking
of all the power players.
Richard Clark and Robert Nacky's Hall of Fame book,
Fifth Domain, covers similar material,
but leans towards the policy side of the discussion.
And finally, Andy Greenberg's Hall of Fame book, Sandworm,
focuses specifically on Russia.
The book is called Sandworm,
a new era of cyber war by Andy Greenberg. And you can hear a
much more in-depth, longer interview in my CSO Perspectives podcast exclusively on the Cyberwire
Pro subscription services. And congratulations to Andy for his induction into the Cybersecurity
Canon Hall of Fame.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health
and Homeland Security, but also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story from Joseph Cox over on the Vice website,
and it's titled,
Pentagon Surveilling Americans Without a Warrant, Senator Reveals.
What's going on here, Ben?
So this is Senator Ron Wyden,
who if there is a story about government surveillance and it
involves a lawmaker, you probably have a 90% chance that it's going to be Ron Wyden. He has sent a
letter to the Department of Defense asking them to declassify a program where they are conducting
warrantless surveillance of Americans. So he's asking for detailed information from the Department
of Defense, the Pentagon, the NSA, and the Director of National Intelligence about this
program where special forces in the U.S. military are buying location data from data brokers. So
these are private data brokers. And without a warrant, the government is going in and obtaining some of this data.
So Senator Wyden has a bunch of questions that he specifically wants answered. One,
I think that's particularly relevant, both because it's what the majority of the American
people care about, and there's some legal significance, is how many of these communications
were between American citizens or U.S. persons. We have an American
person on one end or the other. Those types of communications merit significant Fourth Amendment
protection, even if they have some sort of national security implication. You know, other
communications when we're talking about somebody's phone conversations or internet traffic being incidentally scooped up
because they've been coordinating with an overseas terrorism target,
that might have a slightly higher justification under the law.
But that's sort of what Senator Wyden is asking here is,
what is the extent of this data collection program?
So the ask here, and this is a letter
to the Defense Secretary Lloyd Austin, is please release this information publicly so members of
Congress, including those that aren't on the relevant intelligence committees, could have a
reasoned debate on what the issues are here. And this can inform the decision of lawmakers
as to whether to pass some sort of remedial legislation
like the Fourth Amendment is not for sale act, which we discussed on our caveat podcast.
Yeah. Now, one of the things that caught my eye here is Wyden is making the point that a lot of
this information they can't publish, like some of the responses from the DOD, they can't publish because some of their answers
are classified. And Senator Wyden is pushing them to declassify these answers, as you say,
so they can have more public review. Yeah, I mean, that's one of the problems about
any sort of public debate about these programs is oftentimes we're all flying blind. You know,
some of the only public debates we've had
about counterterrorism intelligence programs have been after high profile leaks, looking at you,
Mr. Edward Snowden. Other than that, it's really hard to have reasoned debate on this, because
even if information is declassified, it's usually declassified long enough in advance that,
you know, the particular information might not be in advance that, you know, the particular
information might not be timely or relevant, you know, the way it had been six or eight months ago.
You know, so we see that with the release of FISA court opinions, where it reflects information
that might have been useful, you know, a year ago, but the intelligence community has already moved
on, they have different targets, they already have new methods under consideration. And that's what's happening here. You know, there are some
members of Congress, particularly the eight members of the leadership in the House and the
Senate, and then the chair and rigging members of the Intelligence Committee, who are able to see
this. But they can't really spark a public debate if so many other members of Congress and the general public are completely in the dark as to how this program works.
And it's one thing that's very frustrating about trying to seek reform on these types of issues is you are dealing with classified information.
I will say that there's a reason this information is classified.
It really does reveal some of our intelligence methods.
It could reveal confidential sources.
So it's not like they're just arbitrarily keeping things classified,
although they have done that in the past.
Yeah, I mean, Wyden kind of speaks to that too.
In his letter to Secretary of Defense Austin,
he sort of points to, I guess,
that notion that the DOD has been accused of overclassifying things.
And in Wyden's letter, he says,
information should only be classified if its unauthorized disclosure
would cause damage to national security.
The information provided by DOD in response to my questions
does not meet that bar.
Interesting.
Yeah, so I'll tell you a quick—
Is that for him to say?
It is.
I will tell you a quick story, though,
that is a staple of mine in some of my law classes.
There was a very famous Supreme Court case,
United States v. Reynolds,
which came out in 1953,
which was about the so-called state secrets privilege,
where the government could assert that a case concerns a state secret,
and that case could be dismissed from court,
where the plaintiffs wouldn't be able to seek relief.
So this was a case where family members of people who were in the military
sued the government because their family members died
due to a plane crash. And they were alleging that potentially the government was negligent
in the design or operation of these airplanes. And since these were military aircraft,
the government at the time said, this is highly secretive information. We can't litigate this.
If we did, you know, we would be revealing state secrets,
and that would do damage to our national security.
We're trying to fight the USSR here.
Let's get serious.
It came out about 40 years later,
while some of the plaintiffs of this case were still alive,
that that was basically BS.
That there was no relevant national security information in the Reynolds case. And in fact,
they really tried to conceal the information because they were scared of facing civil
liability. So it became this kind of cautionary tale about over-classification. And maybe I sound
paranoid, but it is a lesson to, you know, not just instinctively
trust when the government says they're classifying something for national security purposes,
because they've been known to lie in the past. I mean, I guess that's exactly what Senator Wyden
is doing here. He's the one who, he has a view into this, you know, having the ability to
see the classified information and share his opinion that it doesn't meet that standard.
Yeah. And Senator Wieden has done this before. I mean, he said things on the Senate floor,
like, I know things I'm not allowed to say here, but if you don't release unclassified information,
you know, I might find a way to make it public.
It's just because he is very passionate about these surveillance issues.
Yeah.
All right.
Well, the article is over on the Vice website.
It's titled Pentagon Surveilling Americans Without a Warrant, Senator Reveals, written
by Joseph Cox.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
If you are looking for something to do over the upcoming long holiday weekend, at least here in the U.S., be sure to check out my conversation with Brandon Hoffman from Intel 471 on Research Saturday.
We're discussing Eter Silent, the underground's new favorite Maldoc builder.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Guru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you
back here next week. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.