CyberWire Daily - Chinese threat actors reel in Barracuda appliances. Diicot: the gang formerly known as Mexals, with Romanian ties. Recent Russian cyberespionage against Ukraine and its sympathizers.
Episode Date: June 15, 2023A Chinese threat actor exploits a Barracuda vulnerability. The upgraded version of the Android GravityRAT can exfiltrate WhatsApp messages. Cybercriminals pose as security researchers to propagate mal...ware. Updates on the Vidar threat operation. A new Romanian hacking group has emerged. Shuckworm collects intelligence, and may support targeting. The Washington Post’s Tim Starks explains the section 702 debate. Our guest is Rotem Iram from At-Bay with insights on email security. And Russia's Cadet Blizzard. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/115 Selected reading. Android GravityRAT goes after WhatsApp backups (ESET) Quarterly Adversarial Threat Report (Facebook) Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China (Mandiant) GravityRAT - The Two-Year Evolution Of An APT Targeting India (Cisco Talos) Fake Security Researcher GitHub Repositories Deliver Malicious Implant (VulnCheck) Darth Vidar: The Aesir Strike Back (Team Cymru) Tracking Diicot: an emerging Romanian threat actor (Cado Security) Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine (Symantec) Cadet Blizzard emerges as a novel and distinct Russian threat actor (Microsoft) Destructive malware targeting Ukrainian organizations (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Chinese threat actor exploits a Barracuda vulnerability.
An upgraded version of the Android Gravity Rat can exfiltrate WhatsApp messages.
Cyber criminals pose as security researchers to propagate malware.
Updates on the Vidar threat operation.
A new Romanian hacking group has emerged.
Shuckworm collects intelligence and may support targeting.
The Washington Post's Tim Starks explains the Section 702 debate.
Our guest is Rotem Iram from At Bay with insights on email security.
And Russia's Cadet Blizzard.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, June 15th, 2023. Following a late May announcement of a zero-day vulnerability affecting the Barracuda email security gateway,
Mandiant has identified an actor they believe is based in China targeting Barracuda ESG appliances.
The gang, identified as UNC4841, may have exploited this vulnerability as long ago as October of last year.
The threat actors sent phishing emails containing malicious file attachments
that exploited the vulnerability and allowed for initial access into affected devices.
UNC-4841 is said to primarily rely on three families of code,
Saltwater, C-Spy, and C-Side.
The hackers are said by researchers to aggressively target specific data of interest for exfiltration following the initial compromise.
The gang is said to be using this access for cyber espionage purposes.
Barracuda recommends isolating and replacing affected devices. Mandiant adds that
further investigation and hunting within systems would also be a good idea, as this gang has shown
a strong capability for lateral movement and is nothing if not persistent. Researchers at ESET
have found an updated version of the Android Gravity Rat that can exfiltrate stored WhatsApp messages and delete files on command.
The remote-access Trojan is being delivered in the form of chat applications.
These are, in fact, corrupted versions of open-source OMEMO-IM code.
code. When ESET attempted to download an affected instance of BingeChat, they found that its registration was closed, leading them to believe that this campaign is highly targeted. ESET writes
that it's possible that the operators even go so far as opening registration at the time a specific
target is anticipated to be online. The researchers have been unable to find any victims of the campaign,
which further suggests the campaign is intended for specific targets and not a large-scale
campaign. Though attribution of the threat actors behind this rat is unknown, Facebook and Cisco
Talos have suggested that a Pakistan-based APT may be responsible. So, while the number of victims affected by the Trojan
may not defy gravity, its capabilities are something worthy of note.
Researchers at Volnchek have discovered malicious GitHub repositories claiming to be zero-day proofs
of concept posted by security researchers. Volnchek says that the cybercriminals operate multiple fake accounts and Twitter profiles
posing as employees of a fictitious company named High Sierra Cybersecurity.
The malicious profiles often use legitimate headshots of security researchers
and contain a malicious repository.
Avkash Katheria, Senior Vice President of Research and Innovation at Cyware, commented that
It's worth repeating these Security 101 tenets.
Don't download questionable files from GitHub.
Don't install any sample malware in a system that is not isolated.
Don't trust what you see on Twitter.
If you spend all day researching threats and scam techniques, don't be surprised when you become the target.
That's one moral of this story.
Team Kimri continues to track the Vidar commodity malware operation.
The malware's operators are using public VPN services for anonymity and have begun migrating to Tor.
The researchers state that recent changes have made the monitoring of updates to malware more difficult.
Researchers say that previously it was possible to download any files hosted on the URL path slash private,
such as the bash script responsible for installing the necessary components for a new Vidar campaign,
making it possible to monitor malware updates.
Unauthenticated file download attempts now redirect back to the Vidar affiliate login screen.
Cato security researchers today reported discovering threat patterns they associate with the Dicot threat group.
Dicot, the gang formerly known as Mexels, is deploying malicious payloads that aren't in public repositories.
In particular, the group has its hands on an initial access tool that self-propagates, and it's also using custom packages to hide binary payloads.
DICOT engages in a range of criminal activity, including cryptojacking, doxing, and DDoS attacks.
including cryptojacking, doxing, and DDoS attacks.
Active since at least 2020, Dicot has recently been seen using a Mirai-based botnet, Kaosen,
in attacks against routers running the OpenWRT operating system.
The gang's new Dicot moniker is also the name of the organized crime and anti-terrorism police unit in Romania.
That, combined with observations of the Romanian language and strings and log statements,
has led researchers to conclude that the gang's origins are Romanian.
Russian intelligence services are again targeting
Ukrainian government and security services
in a persistent intelligence collection campaign.
The Symantec threat hunter team
released a long-form article discussing the long-term behavior of the Russian APT Shukwurm.
Shukwurm, also known as Garmarodon or Armageddon, seems recently to have targeted Ukraine's security
services, military, and government organizations with a view to establishing long-term persistence for
continuing intelligence collection. Semantek writes, in some cases, the Russian group succeeded
in staging long-running intrusions lasting for as long as three months. They observed repeated
attempts at accessing and stealing sensitive information related to Ukrainian service members,
airstrikes, training reports, and the
like, Shuckworm constantly evolves its tools to evade detection and throw off defenders' attempts
to profile the threat actor. Although Shuckworm has been active against Ukrainian networks since
2014, the year of Russia's invasion of Ukraine's Crimean province. Its most recent attacks in February and March of 2023 are of
particular interest. They scan a victim's network for files that could contain sensitive Ukrainian
military information and could possibly be used to target kinetic strikes against Ukrainian units.
And finally, Microsoft researchers have now identified a cluster of cyberattacks
as the work of a Russian General Staff Main Intelligence Directorate, or GRU unit,
Microsoft has named Cadet Blizzard.
Redmond thinks that Cadet Blizzard, formerly tracked as DEV-0586, has been operating since 2020.
They associate the unit with last year's Whispergate wiper attacks against Ukrainian targets,
and they note that in recent months the threat actor has been associated with influence operations.
Cadet Blizzard isn't the only GRU threat actor working against Ukraine.
While Microsoft links Cadet Blizzard to the Russian GRU,
they maintain that the group is separate from the more familiar
forest blizzard and seashell blizzard gangs, also known as Strontium and Iridium, respectively.
Compared to forest blizzard and seashell blizzard, Microsoft assesses cadet blizzard as generally
less effective than its better-known institutional siblings. Still, it's enjoyed a modest level of success,
and it's not an outfit defenders can afford to disregard.
Coming up after the break,
The Washington Post's Tim Starks explains the Section 702 debate.
Our guest is Rotem Iram from At Bay with insights on email security.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
Cybersecurity insurance provider AtBay recently published a report exploring the effectiveness of various email security solutions,
along with recommendations for revamping email security practices.
Rotem Iran is CEO and co-founder of At Bay. One of the things that have frustrated me personally
as somebody who has been in the security industry for a while, is that it is really difficult to know what is the relationship
between certain technology choices that we make
and the risk that is entailed.
It's easy to believe that they help, but how much do they help?
Which one is better?
How much should I spend to buy additional security controls?
Is it worth the investment or not? It's really difficult to answer any of these questions without a financial analysis
of the actual loss results. And that is what has made me excited to build an insurance company
where we get to see claims of more than 40,000 of our insureds over these last few years and
start to tease out what are the relationships
between certain product choices
and certain technology choices
that our customers have made
and the financial losses that they experienced later on.
And what we've done in our report
is highlight two elements that are related to email security.
The first one is the choice of the underlying email client.
We believe that that is really important
because if I would take the metaphor of protecting a house,
I want to know how you've built your house first
before I'm interested in what security solutions
you've overlaid the house.
Yes, it is important to know if you have locks on your doors
and a fence around the house and closed cameras,
but I want to know, is the house made out of brick or woods or is it straw? And the first thing that
we've identified is that, and by the way, maybe it's also important to say is our analysis is a
statistical analysis of our own claims experience. It's just nothing about the technical capabilities
of the products, only how we experience customers that have decided to buy and purchase and use
those products. And what we see is that companies who chose Google Workspace as their email
environment experience significant fewer losses to customers that have chosen Microsoft
365 or Microsoft Exchange. And that could be a combination of both issues with how easy it is to
break in to either one of those platforms or also how much attention attackers are putting into any
one of those platforms. But regardless to why this is happening, at the end of the day,
as an insurance company that does not want to, or that wants to find ways to limit how much we lose
on each policy, we have found that Microsoft Exchange, which is the on-premise,
kind of older version of Microsoft Office, Microsoft Exchange is dramatically more vulnerable than the cloud email solutions,
Workspace and 365, by almost a factor of three compared to Google Workspace.
And Google Workspace outperforms Microsoft 365 by almost twice as better in terms of
the frequency of attacks.
better in terms of the frequency of attacks.
And then the second layer is the layer of email security solutions that companies purchase to put on top of their email solution.
These are companies like Mindcast, Sophos, Intermedia, AppRiver, Proofpoint, Barracuda,
and others.
What we found, generally speaking, is that these solutions all do a good job reducing the risk of the insured.
But we have found stronger correlation between linecast email security solutions and lower frequency compared to each of the other choices.
came first with almost 30% lower frequency of incidents that started in email compared to the average email security platform.
And then you can read the full list in our report that we published.
I'm curious, as an insurance provider,
to what degree do you feel as though you're having influence
over organizations and the things they choose?
I mean, you can set rates based on some of the data you're gathering here, right?
Absolutely.
We use this data, first and foremost, for our own pricing exercise
so that we can price the policy adequately
and we reflect this pricing back to the customer.
And so what we tell our customers is,
here are the choices that you have made
and here is the resulting insurance premium.
And by the way, if you have made different choices,
this is the opportunity you have to improve.
Typically, customers don't care about
making their insurance policy worse, but here are the ways in which you could get access to better coverage or better
premiums, lower premiums, if you were to adopt other solutions that we find are better performing
when it comes to risk. In some cases, and by the way, our customers view us as a very credible and very much an objective third party.
We don't care which solution wins.
We're not tied to any one of these specific platforms or solutions.
We want to decrease risk.
And in that way, we are very much on the same side as the insured.
I'll say more than that.
AdBay focuses on small and
medium-sized companies. These are companies that do not have the budget or the expertise to manage
security themselves. There is no CISO in the organization that has a very strong opinion
about security solutions. And they see the insurance company as a partner that not only buys away some of their
risk for the premium, but also as a very credible entity to help them manage their risk. And so as
kind of their trusted partner, they oftentimes follow our advice, even when it's not. And it's
much easier to do it this way when we can actually show them the relationship between losses and the choices that they make.
In some cases, for example, in the case of the old Microsoft Exchange services, we would significantly limit the coverage in the policy unless they upgraded to a cloud solution.
And we're happy to help them.
By the way, we've partnered with Microsoft to help exchange customers upgrade their environments
for no fee to the Office 365 environment because it is so much safer and so much better for
us.
But if they choose to remain with the exchange environment, we in many cases tell them that they should probably go and seek insurance from another provider.
That's Rotem Iram from At Bay.
Joining me once again is Tim Starks.
He is the author of the Cybersecurity 202 over at the Washington Post.
Tim, it's always great to have you back.
Always great to be back.
So earlier this week, you published a story about the ongoing debate over Section 702 authorization,
which is really hot and heavy right now among Congress and the various players in this world.
Can you give us a little overview
before we dig into the current specifics
of what led us to where we are here today?
The issue with Section 702,
this is a program that was created after 9-11, eventually became authorized into
law. It was a sort of a secret administration program for a while. And then they did go ahead
and authorize it with a little bit of extra protections that had been in there. The idea
of the program originally was, of course, to capture or to be able to eavesdrop on terrorists.
And the thing that made it controversial is that it was under
the Foreign Intelligence Surveillance Act, which, as you might imagine, was supposed to be foreign
related. And in this case, they were targeting foreigners, but the people on the other line
of the communications that they were eavesdropping on might be Americans. This was warrantless
surveillance. So it was very controversial to get to the point of being authorized and then reauthorized again in 2018, because we're talking about Americans being
surveilled upon. That's something we take a little different approach to in the United States.
So there are other ways in which U.S. citizens can be spied upon here. One of the things that
they can do, the FBI can go in if they have some evidence of a crime or if they have some foreign intelligence purpose that they can justify. They can go and search
that database of all those communications they've collected based on looking
for the U.S. person communications. There's a fear that this is so-called reverse
targeting or backdoor searches. So all of this has been very controversial
for a long time, but it's only gotten more controversial since the last
reauthorization because FISA is now wrapped up in some hostilities that Republicans have over FISA overall, not
Section 702, you, Sona, a Trump campaign aide. And also there have been yet more reports of abuses
that have been coming out in the last few months. And so this is up for renewal this year, right? It expires at the
end of this year. So what's the overall debate here? Yeah, they don't have a lot of time. The
administration started making a push on this early this year, and maybe they should have gotten
started sooner because this has not gotten too far in terms of who's acting on it. This is,
you know, one of the first hearings on this matter in the Senate Judiciary Committee this week. They're one of the committees that have oversight of that
FISA law. They just had it in June. And if you know Congress very well, you know that sometimes
it takes a little while for them to get to the point of actually taking action.
So we're still early in the process of this. One of the things that we are seeing come up more often, and the administration does not like this, is the notion of a warrant requirement for going into that database and searching for a
U.S. person. So that's going to be a real sticking point, just to maybe give the folk listening a
little bit more reason to understand why Section 702 is so important. We're talking about eavesdropping
on emails, eavesdropping on texts. You get into the sort of cybersecurity world pretty quickly. And while it was conceived for anti-terrorism
purposes, these days, the administration, the FBI said nearly half or approximately half
of the uses of that querying is for cybersecurity cases where they're trying to go in and find
victims of cybersecurity incidents or trying to track down the hackers responsible. So it's got
a lot of cybersecurity ramifications that it's always had, but it's gotten more and more of them
if you listen to the administration. What is the burden here of having to get a warrant? I mean,
that seems to align with the notion of the Fourth Amendment. Why is the administration
against that additional burden? Yeah, so they have a couple different answers to that. One is that
despite what people do say about the Fourth Amendment concerns,
and Congress mentioned this this week, it is first and foremost on their mind.
They say that no court that has evaluated this program has said it goes against the Fourth Amendment.
The other thing they say is that it would be wildly impractical.
If they had to do it every single time they wanted it, the courts would just be completely
clogged up.
They wouldn't be able to ever get anything done with speed.
In some cases, they say we're trying to find out really quickly in real time who a victim
is.
And if you're worried about trying to track down who a victim is and you have to wait
any length of time, you're going to have a lot less success.
Any notion of how this is likely to play out?
Oh, God.
I hate it when you ask me that, Dave.
I know. It's so unfair of me, but I'm asking the questions here, too.
Ellen Nakashima, my colleague, she and I were discussing this,
and she tweeted about this.
This is not violating confidentiality of discussions.
It feels like if this is going to happen,
the administration might have to accept some kind of warrant requirement.
There was a call that some senior administration officials did with reporters
where one of the reporters asked,
are you going to talk about maybe just doing a clean six-month extension?
I could see that happening, or some kind of extension,
and I can see it happening in part because it's happened before,
where they keep having to kick the can down the road.
But what the ultimate deal looks like is really,
it's difficult for me to imagine,
because the opposition from the Republican side
has really been mounting.
They control the House.
The opposition from civil liberties-oriented Democrats
and Republicans has always been there, and I think it's hardened, if anything.
It's really difficult for me to imagine them getting a version of the deal where they don't have to make some kind of concessions on warrants.
But it's hard to imagine what a middle ground looks like.
Right now, it's we don't want a warrant versus we do want a warrant.
And you can't have half a baby.
If one person wants a child and the other person in a relationship doesn't, you can't. There's no compromise. One person seems to have half a baby. If one person wants a child
and the other person in a relationship doesn't,
you can't, there's no compromise.
One person seems to have to give up.
So I think trying to be creative
around how that warrant requirement could work
is probably where ideal lies
or the administration just rolling over
and saying, look, we need this authority so much
that we will deal with this
and live with this warrant requirement.
All right.
Well, time will tell, as we like to say.
Tim Starks is the author of the Cybersecurity 202 at The Washington Post.
Tim, thanks for joining us.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.