CyberWire Daily - BladeHawk Android cyberespionage campaign in progress. Labor Day was quiet, but the gangs are now back at it. REvil’s remnant stirs. Bulletproof hosting. Phishing keywords.
Episode Date: September 8, 2021BladeHawk cyberespionage campaign in progress. Microsoft warns of targeted attacks in progress. Hey--the hoods took a breather over Labor Day, but the straw hats are off now, and they’re back at wor...k. Someone is rummaging in REvil’s unquiet grave. Bulletproof hosting services and the criminal marketplace. Mike Benjamin from Black Lotus Labs on ReverseRAT 2.0. Rick Howard checks in with Philip Reiner from the Ransomware Taskforce. And does a New Urgent Message Require Action? Maybe not. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/173 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bladehawk's cyber espionage campaign is in progress.
Microsoft warns of targeted attacks.
Hey, the hoods took a breather over Labor Day, but the straw hats are off now and they're back at work.
Someone is rummaging in R-Evil's unquiet grave.
Bulletproof hosting services and the criminal marketplace.
Mike Benjamin from Black Lotus Labs on Reverse Rat 2.0.
Rick Howard checks in with Philip Reiner from the Ransomware Task Force.
And does a new urgent message require action?
Maybe not.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 8th,
2021. ESET is tracking BladeHawk, a mobile Android-based cyber espionage campaign targeting ethnic Kurds. There's no
attribution, but Kurds have been perennial objects of suspicion on the part of the three governments
that control traditional Kurdistan, Turkey, Iraq, and Iran. Microsoft warned yesterday that
targeted attacks are exploiting a vulnerability in MSHTML by using malicious ActiveX controls in Word documents for remote code execution.
There's no patch yet, but Redmond is working on it.
In the meantime, Microsoft has made some mitigations and workarounds available,
notably disabling ActiveX,
and CISA encourages users and organizations to review them.
Patch Tuesday arrives next week,
and while Microsoft hasn't promised a fix for the vulnerability,
many expect Redmond to issue one then,
if not an earlier out-of-band patch.
And we do mention Microsoft is a CyberWire sponsor.
There's no attribution of the attacks yet,
but Security Week thinks that the wording of Microsoft's disclosure
strongly hints that a nation-state is behind them, and CISA says, if you'd like to stay safer until
a final patch is out, do consider what Microsoft recommends and disable ActiveX rendering.
So it turns out that Labor Day weekend was more a day off than the expected extortion doorbuster
for ransomware gangs. But now that the holidays passed, the hoods have returned to business as
usual. The Washington Post is prepared to call the quiet holiday an anomaly. CISA, the FBI,
and the White House had all warned organizations to be on the alert,
sound advice on form, but the expected wave of attacks didn't materialize.
The ongoing ransomware infestation at Howard University in Washington, D.C.
is still under investigation and in the process of resolution.
As the university posted yesterday,
the situation is still being investigated.
ETS and its partners, ETS is the
university's IT department, have been working diligently to fully address this incident and
restore operations as quickly as possible. We are currently working with leading external forensic
experts and law enforcement to fully investigate the incident and the impact. To date, there has
been no evidence of personal information being accessed or exfiltrated. However, our investigation End quote. access to campus restricted to essential personnel only. They're working on setting up an alternative Wi-Fi system,
but that's not expected to be ready today.
The other big ransomware news concerns a stirring in the unquiet grave of R-Evil,
the gang also known as Sodinokibi,
that appeared to bring itself to an end after its high-profile attack against Kaseya.
R-Evil was last heard from in its own voice to bring itself to an end after its high-profile attack against Kaseya.
Our evil was last heard from in its own voice when it was demanding first $70 million, then a discounted $50 million in exchange for a master decryption key.
The gang disappeared, and shortly thereafter, Kaseya received a decryption key
from what it characterized as a reliable source,
reliable in the sense that it delivered
the goods. Bleeping Computer reports speculation that Russian intelligence services quietly comped
Kaseya with the decryptor. Our evil may be among the ransomware gangs that's resurfacing.
Bleeping Computer reports that after an absence of almost two months, the group's dark web servers have reappeared.
Researchers with both Emsisoft and Recorded Future have tweeted that among the restored presence is the gang's happy blog,
but so far there's nothing new on the happy blog, which seems to have resurfaced with the same stuff on deck that was there when it submerged back on July 13th.
that was there when it submerged back on July 13th.
And the blog's return yesterday was incomplete.
While the dump site returned, much as it had been,
the Tor portal used to negotiate payment was up but inaccessible.
Victims weren't able to log in.
All of this revenant activity could mean any number of things.
KnowBefore wrote us to observe that cybercriminals operate for a while as distinct recognizable gangs, then break up, reform, and operate again. KnowBefore's James
McQuiggan wrote, quote, with this recent activity, it is most likely possible that they are collecting
files, data, zero days, or other malware to use in their next group, end quote. It's also possible that some law enforcement agency or agencies
are rummaging what they can from the remains to see what forensic analysis will yield.
Steve Moore, Exabeam's chief security strategist,
wrote that our evil is itself probably a reincarnation of an earlier group.
It's likely that there are further incipient campaigns already
under preparation against organizations that were vulnerable to the old version of our evil.
He thinks that, quote, directly, our evil took time to refit, retool, and take a bit of a holiday
over the summer. The fact their sites are back online means they are again ready for business
and have targets in mind, end quote.
Know-before's McQuiggan closed his comments by comparing the gangs to the Hydra Hercules fought.
When one head was cut off, another nine grew in its place.
Or, as one might say when you're looking at bad actors, their name is Legion.
Security firm Risk IQ complains that bulletproof hosting services continue to play a major role as enablers of the underground criminal economy. Their researchers today
are drawing attention to FlowSpec, which they call a one-stop shop for threat groups,
facilitating phishing campaigns, malware delivery, mage cart skimmers, and large swaths of other malicious
infrastructure. At least 19 FlowSpec domains are, according to RiskIQ, associated with mage cart,
and the researchers allege that the well-known ransomware gangs that have used FlowSpec
include Ryuk, Genosome, AirGop, Yamako, Sodinokibi, Gancrab, and Crysis.
RISC-IQ's bottom line on FlowSpec, which is operated in a twilight zone,
one foot in darkness, the other in light, is this.
FlowSpec's current IP allocation should be considered suspicious, if not outright malicious.
And finally, what are the keywords most commonly used in phishing nowadays?
Expel has just published a list, complete with brief analysis of how each word appears in its social engineering context.
They're words that are common enough to appear benign, even anodyne, but with enough suggestion or routine interest or urgency to possibly prompt the jaded and the unwary to
click away. Some of the words are invoice, as in, say, missing invoice, new, as in new message,
and by the way, message is another one of those commonly abused keywords, required, document,
action, verification, request, and among others, the ever-popular blank subject.
Think when you're contacted, and remember that security, like fortune herself, favors the prepared mind.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
Look at this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire's own Chief Analyst and Chief Security Officer, Rick Howard,
recently caught up with Philip Reiner, Chief Executive Officer at the Institute for Security
and Technology. Here's their conversation.
Philip, back in January of this year, you formed something called the Ransomware Task Force.
Tell me what that is.
This is an effort to get all of the best people that we could talk to
and get their advice on what a comprehensive strategy could look like
to tackle the ransomware problem.
And this is public and private civil society, government industry,
as many folks that we could pull in quite honestly to cover the waterfront,
over a hundred, a hundred experts participated.
We had everybody from Microsoft to Coveware to the financial sector,
healthcare sector, small and medium-sized businesses.
Yeah, it's been a sprint, you know, January through March,
and we're set to release the report here and get the word out of what our recommendations are.
The result of that group getting together after many weeks is that you published a paper back at the beginning of May that describes some international strategic goals.
The attempt here is to actually
put together a real strategy. Ransomware is a pernicious, broad threat that touches a number
of different sectors. One of the things we always like to re-emphasize here is there's really great
work that's already going on. There's a lot of people out there fighting this fight every day,
and we don't mean to say that any of that should stop or that any of that isn't any good.
It's just in stovepipes. And so how can you actually put together a strategy that in a coordinated way with resources intentionally goes after the full spectrum of ransomware related actions?
As far as we could tell, nobody had put together that framework.
And that's what we've done through the task force.
There's a range of things that need to be done.
But if you only do some of them, it's not going to have the effect you're looking for.
At the outset, the challenge was to try and come up with that comprehensive framework.
And what we devised was a four-pronged approach where you've got to look at how to
actually deter folks from getting into this.
You got to actually be able to not just put them in handcuffs, but disrupt the actors
and their infrastructure proactively, not always just reacting to them after you've
gotten hit.
You got to go after them, you got to left the boom.
How do you actually better help people prepare? So how do you make municipalities and small and medium-sized
businesses, how do you make them more resilient? How do you get them the resources they need?
And how do you help people respond? I know, you know, deterrence in this space is almost cliche
and laughed at, but these guys are acting with impunity because they know nobody's going to come after them. There needs to be White House and State Department-led initiative to actually get
a collaborative international effort to deter these folks, squeeze their safe havens while
you're disrupting their activities and while you're shoring up people in order to protect
themselves. That's why we argue there has to be a comprehensive top-down framework and strategy.
Because otherwise,
you're not really going to make much of a dent.
That's Philip Reiner,
the CEO and co-founder of the Institute
for Security and Technology.
And you can find his report at
securityandtechnology, all one word,
.org slash ransomware task force,
again, all one word,
slash report.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Mike Benjamin.
He's Vice President of Security at Lumen Technologies and also is the head of their Black Lotus Labs.
Mike, always great to have you back.
Thanks, Dave. Good to speak with you.
I want to focus today on the research that you and your colleagues have been doing
when it comes to reverse RAT and some of the things you all have been doing when it comes to reverse rat and some of the things
you all have been tracking there. Can we start off sort of at the beginning here? I mean, what
first drew this to your attention? Well, reverse rat is a trojan that we uncovered here that we
published some details around about the end of June in the first iteration and more recently followed up on some more details. The rat came
across our sort of preview due to the way it does a certain type of host enumeration. And so we
searched for a variety of signatures that actors use in their day-to-day of infection and post
exploitation and other things. And this one matched one of our triggers
and led the team to take some time to understand more about what it was, ultimately uncovering
something that wasn't known at the time. So, of course, RAT stands for Remote Access
Trojan. Can you take us through what are some of the unique things about Reverse RAT itself?
through what are some of the unique things about reverse rat itself? Well, I think most folks understand either the concept of remote access Trojans or even just commercially available remote
access tools. A lot of enterprises help desks, other things use them. And the criminal used
rats are not really that dissimilar in regards to what they can do. And so, you know, simple
things like desktop control,
information about a host, screen sharing,
those are the kinds of things that either RATs or the more reputable tools allow.
What's unique about Reverse RAT is that it was custom built.
And so there are some very well-developed RATs
that are used pretty widely.
And if you as a criminal wanted to go out and
take control of a computer and do something, you just download one of those tools. They work,
they're effective. However, as you might believe, they are detectable, right? Because they are more
widely used, they are more widely able to be detected and mitigated or blocked or just flat out removed. And so
the actors who take the time to go develop their own are those that are either going to have
more time, more money, something at the end of that campaign that makes it worth their while,
not the common criminal that's out there to just encrypt a hard drive or steal a credit card
number. And so that's what really stands out ispt a hard drive or steal a credit card number.
And so that's what really stands out is the fact that it was custom developed.
I see.
Well, you all continued your research here and you published some information about what
you're describing as ReverseRAT 2.0, which had some additional capabilities here.
What was the iteration here?
What changed with the second version of Reverse RAT?
Well, the first thing that the actor group did was add some more functions.
Like I mentioned, RATs have a variety of functions that they perform.
They added the ability to take pictures with the webcam.
So that was a new feature function that they'd added.
And some other minor changes to evade antivirus.
And some other minor changes to evade antivirus.
They, in the first iteration, had focused on evading a certain path to avoid a detection in Kaspersky. They added one focused on the antivirus software QuickHeal, which is popular inside India.
And so they installed themselves in different ways in order to evade the tool chain being detected by those antiviruses.
But really, the big shift in this second iteration of research that we posted is focused on a
new agent that came as a component of it.
In the first campaign, we saw ReverseRAT 1.0 deployed in parallel with the open source
framework Alicor, which is another
rat.
And in the second iteration of the research we published, they had stopped using that
open source framework and had installed a sideloaded DLL that we call Night Fury.
And this particular agent enumerates all files of interest within the computer as C2 commands in order to transfer that file
of what it enumerated from a host perspective,
as well as to be able to execute subsequent commands.
And so given its limited functionality
of enumeration and execution,
we believe it's an earlier stage loader in the process.
However, it has a number of functions not defined yet.
It's literally a loop.
If the C2 were to send a command, it would just go back to the C2.
So we believe it's still in development, and no doubt we'll see future development within that framework as well.
I see.
Can you take us through some of the other recommendations here?
How do you recommend people protect themselves?
Well, first is being aware of this actor group, their exact TTPs. So reading
through the research we've published, understanding exactly how they're carrying out their actions,
that's important. Then being able to compare those against the defenses of your particular
organization. So do you have adequate endpoint telemetry where you could detect, mitigate,
stop these things? Do you have an ability to monitor network traffic for C2 callbacks to infrastructure you don't expect?
And so this is, from a defensive perspective, a lot of the standard items that every entity should be doing.
But really, it's staying on top of current generation TTPs, making sure that you can search, mitigate and stop,
and then making sure that,
you know, everything's patched
and everything that this actor group would do
after they had this initial foothold
can be detected and mitigated as well.
All right.
Well, good advice as always.
Mike Benjamin, thanks for joining us.
Clear your schedule for you time Thank you for joining us. with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Guru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.