CyberWire Daily - Bronze President shows both enduring interests and adaptability. Iranian threat actor activity reported. Cybersecurity and small-to-medium businesses.
Episode Date: September 8, 2022Bronze President shows both enduring interests and adaptability. Iranian threat actor activity is reported. Cybersecurity and small-to-medium businesses. An initial access broker repurposes Conti's ol...d playbook for use against Ukraine. Johannes Ullrich from SANS on Scanning for VoIP Servers. Our guest is Ian Smith from Chronosphere on observability. And Kyivstar as a case study in telco resiliency. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/173 Selected reading. BRONZE PRESIDENT Targets Government Officials (Secureworks) APT42: Crooked Charms, Cons, and Compromises (Mandiant) Profiling DEV-0270: PHOSPHORUS’ ransomware operations (Microsoft) Albania cuts diplomatic ties with Iran over July cyberattack (The Washington Post) Initial access broker repurposing techniques in targeted attacks against Ukraine (Google) Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (IBM SecurityIntelligence) Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (BleepingComputer) Ukraine’s largest telecom stands against Russian cyberattacks (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bronze President shows both enduring interests and adaptability.
Iranian threat actor activity has been reported.
Cyber security and small to medium businesses.
An initial access broker repurposes Conti's old playbook for use against Ukraine.
Johannes Ulrich from SANS on scanning for voice over IP servers.
Our guest is Ian Smith from Chronosphere on observability.
And Keev Starr as a case study in telco resiliency.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 8th, 2022.
SecureWorks Counter Threat Unit researchers have discovered a PlugX malware campaign targeting government officials' computers in Europe, the Middle East, and South America.
The malware is embedded in RAR archive files that require the user to click a Windows shortcut file.
The decoy documents are political in nature, suggesting that the targets are all government officials.
that the targets are all government officials.
This campaign can probably be attributed to the Bronze President threat group that is likely to be operated by the Chinese government.
Bronze President has shown an enduring interest in such Chinese neighbors as Vietnam and Myanmar,
but it's also been responsive to developing crises and emergent requirements,
as seen in the interest it's taken in Ukraine
as Russia's invasion has developed.
The researchers state,
Braun's president has demonstrated an ability
to pivot quickly for new intelligence collection opportunities.
Organizations in geographic regions of interest to China
should closely monitor this group's activities,
especially organizations
associated with or operating as government agencies.
Two reports, one from Mandiant, the other from Microsoft, outline Iranian cyber operations.
Mandiant's report describes activity by APT42, stating,
We estimate with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary
Guard Corps intelligence organization based on targeting patterns that align with the
organization's operational mandates and priorities.
APT42 engages in credential harvesting with a view toward establishing surveillance over
its targets, principally through installation of Android mobile malware.
The initial access is often achieved through closely targeted and protracted spearfishing efforts.
APT42 also engages in the development of its own malware.
It's not entirely dependent upon commodity tools available in the C2C market.
Mandiant summarized the group's targeting as follows, stating,
The targeting patterns for APT-42 operations are similar to other Iranian cyber espionage actors,
with a large segment of its activity focused on the Middle East region.
However, unlike other suspected IRGC-affiliated cyber espionage groups that have focused on targeting the defense industrial base or conducting large-scale collection of personally identifiable information,
APT42 primarily targets organizations and individuals deemed opponents or enemies of the regime, specifically gaining access to their personal accounts and mobile devices. The group
has consistently targeted Western think tanks, researchers, journalists, current Western government
officials, former Iranian government officials, and the Iranian diaspora abroad. There are some
connections to, or at least overlap with, the Iranian phosphorus subunit Microsoft describes in its own report.
Dev-0270, or Nemesis Kitten, is interesting for the ways in which its activities don't obviously align with any Iranian strategic interests.
This leads Microsoft to speculate with low confidence that Nemesis Kitten is moonlighting,
Microsoft to speculate with low confidence that Nemesis Kitten is moonlighting, deploying ransomware in what amounts to either privateering or, perhaps more likely, an APT side hustle. Microsoft
concludes, judging from their geographic and sectoral targeting, which often lacked a strategic
value for the regime, we assess with low confidence that some of DEV-0270's ransomware attacks
are a form of moonlighting for personal or company-specific revenue generation.
These reports come after Albania's decision earlier this week to sever diplomatic relations with Iran
over Iran's disruptive attacks against Albanian government infrastructure.
Iran has denied any involvement in offensive cyber operations against Albania or anyone else
and protested that it's the real victim here.
Security firm Vade today released its 2022 SMB cybersecurity landscape report,
a survey of 500 IT decision makers.
report, a survey of 500 IT decision makers. It found that 79% of those surveyed have agreed that cyber attacks on their organizations have increased, with 87% agreeing that email threats
to cybersecurity should be taken more seriously. 91% of respondents said that they are using an
MSP for security, with 92% of organizations outsourcing some of their IT
operations to an MSP. 94% of those surveyed have high levels of confidence in their organization's
ability to defend against cyberattacks, with 51% saying they're completely confident,
but 68% agree that their security posture could be more advanced.
percent agree that their security posture could be more advanced. Google's threat analysis group has discerned a pattern in Russia's war against Ukraine, stating, as the war in Ukraine continues,
TAG is tracking an increased number of financially motivated threat actors targeting Ukraine,
whose activities seem closely aligned with Russian government-backed attackers.
whose activities seem closely aligned with Russian government-backed attackers.
Specifically, it's one threat actor,
and its activities overlap with the group that CERT-UA tracks as UAC-0098.
Google says,
based on multiple indicators,
TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group,
repurposing their techniques to target Ukraine.
So the pattern is a familiar one, Russia using criminal groups for cyber combat.
In conclusion, Google Tag writes,
UAC0098 activities are representative examples of blurring lines between financially motivated and government-backed groups in Eastern Europe,
illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.
TAG also gives due credit to other researchers.
Its results are consistent with a report IBM published in July and with earlier observations CERT-UA offered in April.
Other Conti remnants have attracted counterfire, perhaps from hacktivists or criminal rivals or security services. Servers the gang had
used to distribute cobalt strike payloads have been subjected to DDoS attacks that displayed
anti-war, anti-Russian messages, including, Be a Russian patriot! 15,000-plus dead Russian soldiers! Stop Putin and stop the war!
Bleeping Computer reports that the operators behind the DDoS campaign are unknown, stating,
It's unclear who is behind these messages. It could be anyone from a security researcher
to law enforcement agencies to a cybercriminal with a grudge for siding with Russia.
But it looks like they're keeping the threat actor busy.
Kivstar, the Ukrainian telecommunications provider that serves some 26 million customers, has come under both cyber and kinetic attack and has had to cope with both hijacking and shelling Politico reports.
As much as 30% of the company's infrastructure has been damaged,
yet capacity has actually increased during the war.
Kivstar credits, in part, disruption of Russian offensive operations
by groups like the IT Army of Ukraine.
Kivstar CEO Alexander Komarov told the press,
Part of our success is because we are forcing Russians to defense,
explaining that the IT Army is creating this hassle on the Russian side
and it's making them more weak because of this.
Coming up after the break, Johannes Ulrich from SANS on scanning for voiceover IP servers, and our guest Ian Smith from Chronosphere explains observability.
Stick with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
There is growing interest in cybersecurity in the notion of observability,
being able to keep tabs on what your systems are doing,
being aware when things go wrong, and finding problems in order to fix them.
Sounds easy enough, but given the explosive growth of cloud-based infrastructure over the past few years,
observability can be a daunting task. For a better understanding of what exactly observability is,
I reached out to Ian Smith, field CTO at Chronosphere. Generally collecting a lot of information about the way your applications are performing and also the underlying infrastructure.
So it's particularly relevant for companies
who are building and operating their own software
to serve their customers,
whether they be commercial customers or general consumers.
And so the ability to collect that information,
interpret it, visualize it, and also alert on it
so that you can, for example, react to, let's say, an incident
where you have a bad
performance issue affecting a lot of your customers, or maybe you're looking at things
from a longer-term perspective of you need to understand capacity planning so you can plan out,
say, your infrastructural rollouts as your business continues to grow.
Can you give us some use case examples here? I mean, how do folks actually go about implementing this? Sure. So a common approach is to have various sets of data. So commonly, people might be familiar
with metrics. So numbers about performance, how much CPU am I using, how much memory is being used,
how fast is my application responding? You also have logs, the individual things that might be
happening inside those applications,
things happening at the network level.
Then also traces are starting to
become a lot more prevalent as well,
particularly in distributed environments where you may be moving from,
say, service-orientated architecture
into something more akin to Cloud-native,
where you have a lot of microservices
that are all backing one user experience.
So, for example, you logging in, you need to understand what are all the dependencies,
what are all the databases, what are all the different services that might lead to that
simple interaction of you logging into your internet banking.
And you can imagine for someone like an internet bank, if there was a performance problem where,
say, a large portion of their customers were having difficulties logging in or were experiencing slow performance,
you want to be able to use the observability data and the tooling that you have with that data
to understand why and how to resolve it. Perhaps what caused it in the first place? Was it a bad
deployment? Was it an issue with maybe my underlying provider, like an AWS or GCP?
And then also when you apply a fix, being confident that you've actually resolved the issue as well.
Yeah, that's interesting.
So, I mean, I can imagine that if you have a customer who's having performance issues, you coming to them and saying, we've detected there's an issue here and we're working on it, rather than waiting for them to come to you, I mean, that's a good thing in the relationship.
Correct. And then obviously it sort of feeds into the overall reliability and, you know,
whether you're meeting expectations of the customer. So if you are a particularly a SaaS
vendor in today's world, you're providing your software as a service, whether it be to
individual consumers or to businesses themselves, you need to be reliable. Everyone thinks about
SLAs, everyone thinks about uptime. And so being able to provide that reliability and convincingly
back that up and be proactive can really be very business impacting.
and be proactive can really be very business impacting.
And how does an observability platform, you know,
get its hooks into the system that it's integrated with?
Yeah, that's a great question. So in the past, this would have been very much a manual effort.
I mentioned before, you know, logging,
you think about the developer just writing code
and manually just logging out particular things and thinking about those individually as they go along.
Just like with the advancements in, say, middleware, where you have libraries and packages, those libraries and packages will have come with additional pieces of what we call instrumentation, so the generation of new data.
For example, if you're using a database package, as you generate a new
database query, maybe it's automatically logged. Maybe it automatically counts the number of
queries that you're making and makes that data available. And of course, it depends on what
you're using and so forth. But the industry in general has been moving towards adoption of open
standards, where there's sort of a
consistency about the instrumentation of the data as much as possible. And you're less reliant on
perhaps the observability solution to have a very strong opinion on generating that data itself.
So if we maybe use an example, APM solutions, which are a form of observability solution that
became very popular in, say, the
mid-2000s, they generated all of the data for you. They basically said, hey, take this little
application, put it next to your application, and it will figure out what to collect for you,
and we'll present that data to you in a way that we believe is the best.
In today's world, what we're really seeing is, just like a lot of open source adoption,
best. In today's world, what we're really seeing is just like a lot of open source adoption,
there are open source standards for this data collection where you can say, okay, well, I'm going to use something like open telemetry and it's going to be very consistent. It's going to
generate the data and then I, as an engineering organization, can pick and choose where to send
that data based off which solution gives me the most value out of that data. And I'm also owning that instrumentation. If I make changes to it, if I enhance it, I'm not
doing this for one particular solution. I'm doing it for any solution I may choose to put that data
into. And so there's a greater sense of ownership and a greater flexibility for engineering
organizations today as compared to what has traditionally
happened in monitoring and observability. That's Ian Smith from Chronosphere.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, always great to welcome you back.
Thanks for having me again, Dave.
So we are talking today about voice over IP servers.
What's the latest here?
What have you been looking into?
Well, I have actually ignored it for a long time.
I used to run sort of on my voice over IP phones here in the office.
But lately, everybody has unlimited free calls on their cell phones.
So why bother, basically?
But what I kind of noticed is sort of,
particularly when I looked at our
D.Shield, the United Storm Center data,
these persistent scans
for voice over IP, basically.
UDP port 5060, the
SIP protocol that's often being
scanned for.
So I figured, hey, let's have some fun and set up
a voice over IP server
just to see what'll happen.
You couldn't help yourself, could you?
I couldn't help myself, no.
Those poor kids scanning, I have to give them something back
for all their effort.
Sure, sure.
What's going to happen there?
It was really amazing.
I set up a voice over IP server.
I didn't really configure it,
so you couldn't really do anything with it.
It didn't have like an uplink connectivity.
So you couldn't really make phone calls with it.
But immediately the number of scans kind of exploded
that I had sort of from like,
and it looked like a little bit of larger network here,
but from like, you know from 50 or so an hour, it went all the way up to 500,000, 5,000 scans an hour that hit that server.
What was interesting, there were two types of tags.
Some just tried to make phone calls.
That showed us a little bit why people are still scanning for it.
For example, the number two number that they tried to call was with the Palestinian territories.
And that's, of course, an area of the world where a lot of Western, in particular, phone companies don't necessarily have relationships.
So if you have a free international plan, that may be excluded.
So cost really still matters in those areas.
So that was one number. And then, of course, if it's Palestinians, the next number up was Chicago.
That's, I guess, the Palestine of US.
That's then scammers most likely.
Because these are the other people that really matter.
They don't really care about the cost necessarily,
but they're caring about
getting kicked off different voice over IP services.
Because people complain about scammers
and then a voice over IP service that hosts a lot of scammers is getting a bad reputation with phone companies, not just getting problems, getting service at a reasonable price.
So by just using compromised voice over IP servers, they get some anonymity, first of all.
And then, of course, if they get kicked off one, well, apparently there are plenty others out there that they can use.
So those are kind of the two big motivations here.
And just to put it in perspective, like I mentioned how the number of scans went up,
I also looked at password brute forcing.
They're not trying to use your voice over IP server,
they're trying to basically register their extension with your voice over IP server.
And typically they need typically using a password,
there were about 20 million attempts
during the two days of our RANDEX experiments.
So it's a huge amount of attacks there.
Of course, once they register their extension,
then they're also able to impersonate your organization.
Because now, as far as caller ID is concerned,
they're using your phone number to originate the call from.
And that, of course, makes them appear as coming from your organization,
which can be used then also for more sophisticated attacks,
like social engineering.
If you get a call now from your network security department,
caller ID checks out on your internal voice over IP system.
Well, you may actually give them your password.
Right, right.
What do you make of how the scans exploded that way?
I mean, in my mind, that indicates that somebody was sharing this somewhere.
Like, hey, everybody, we got a hot one.
Is there anything to that line of thinking or not?
That's possible.
What I really more think is that once I started sending responses back,
now these particular actors just kept sending follow-up requests.
And since it's all UDP, it's very fast,
so you don't really need a lot of system, a big bot,
that are sort of sent 20 million attempts.
I see. Okay.
So what are your recommendations here for folks
who are running
their own voice over IP server?
What kind of stuff
should they make sure they're doing?
Well, definitely make sure it's secure.
That password brute forcing.
Monitor if new extensions
are being registered.
They typically use sort of
what I would consider
default extensions like 100
and 101, I think,
was another very common one that they used.
So they may more be looking for unused
or sort of idle voice over IP servers,
which is another big problem.
We often have these devices being set up
and hey, they sound like a great idea for a while
and then you realize, hey, it's not really worth the trouble
to maintaining it, so you forget about it, it's not really worth the trouble to maintaining it.
So you forget about it,
but you never really turn it off.
It's a common problem in security,
this sort of inventory and these ghost devices
you have to haunt your network
for years after they have no longer been used.
All right.
Well, it's interesting stuff.
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live. Hundreds of wildfires are burning. Be the first to know
what's going on and what that means for you and for Canada. This situation has changed very quickly.
Helping make sense of the world when it matters most. Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.