CyberWire Daily - CISA and its partners warn of Iranian cyber ops. Cyberespionage in the Middle East with Candiru tools. Belarus connected to Ghostwriter. Facebook boots SideCopy. RAMP recruits members.
Episode Date: November 17, 2021CISA, the FBI, the ACSC, and the NCSC issue a joint advisory warning of an Iranian cyber campaign exploiting known vulnerabilities in Fortinet and Microsoft Exchange. A Belarusian connection to Ghostw...riter. Candiru tools reported in watering holes. SideCopy’s interest in Afghanistan. RAMP shows an interest in attracting Chinese operators. Josh Ray from Accenture Security digs into the CONTI playbook leak. Our guest is Matt Keeley from Bishop Fox on fuzzing. And Pompompurin wants to sell you leaked Robinhood data. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/221 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA, the FBI, the ACSC, and the NCSC
issue a joint advisory warning of an Iranian cyber campaign,
a Belarusian connection to Ghostwriter, Kandiru Tools reported in watering holes,
Sidecopy's interest in Afghanistan, Ramp shows an interest in attracting Chinese operators,
Josh Ray from Accenture Security digs into the Conti playbook leak,
our guest is Matt Keeley from Bishop Fox on fuzzing.
And Pom Pom Porum wants to sell you
leaked data from Robin Hood.
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary
for Wednesday, November 17th, 2021.
The U.S. Cybersecurity and Infrastructure Security Agency this morning issued a joint
advisory with the FBI, the Australian
Cybersecurity Center, and the UK's National Cybersecurity Center that warns of Iranian-sponsored
exploitation of vulnerabilities in Microsoft Exchange and Fortinet. The Fortinet vulnerabilities,
which include 40 OS vulnerabilities listed as CVE-2018, 13379, CVE-2020-12812, and CVE-2019-5591 have been under active exploitation since March.
The threat group has been working against a flaw in Microsoft Exchange Proxy Shell, which is CVE-2021-34-473, since last month.
The advisory says,
quote,
The Iranian government-sponsored APT actors are actively targeting a broad range of victims
across multiple U.S. critical infrastructure sectors,
including the transportation sector and the healthcare and public health sector,
as well as Australian organizations.
FBI, CISA, ACSC, and NCSC assess the actors are
focusing on exploiting known vulnerabilities rather than targeting specific sectors. These
Iranian government-sponsored APT actors can leverage this access for follow-on operations
such as data exfiltration or encryption, ransomware, and extortion.
End quote. The advisory includes advice on detection and mitigation, such as data exfiltration or encryption, ransomware, and extortion.
End quote.
The advisory includes advice on detection and mitigation.
The most important mitigation is to patch vulnerable systems,
since all of the exploits take advantage of known and fixed flaws in the susceptible software.
Mandiant finds a connection between the Ghostwriter campaign,
generally regarded as a Russian operation, to Belarus.
The company doesn't rule out an additional Russian connection to the threat actor it tracks as UNC-1151,
but it thinks that Ghostwriter's targeting,
its absence of any obvious criminal payoff,
and the messaging of its disinformation argue for Belarus.
It's possible that this represents a distinction without much of a difference, given the close alignment of
Moscow and Minsk, much closer than that between Russia and any other former Soviet republic in
the near abroad. Kandiru, the Israeli company recently subjected to U.S. sanctions alongside the better-known NSO group,
has been tracked to a widespread surveillance campaign targeting mostly Middle Eastern organizations.
Researchers such as the Bratislava-based security firm ESET have found the company's tools in watering holes
designed to attract Iranian and other subjects.
Many of those watering holes were established in
compromised news sites. Those sites included the London-based Middle East Eye, Yemeni media
outlets including Al-Masirah, linked to the Houthi rebels fighting the Saudis, websites belonging to
Iran's foreign ministry, to Yemen's finance and interior ministries, to Syria's electricity ministry,
and to internet service providers in Syria and Yemen. Other compromised sites included some
belonging to Piaggio Aerospace, an Italian aerospace company, to Hezbollah, and to the
Saudi Reality, which is a media outlet operated by Saudi dissidents. ESET thinks it probable that the Kandiru malware was delivered to users in a browser exploit.
Kandiru has kept a much lower profile than the NSO Group,
but according to Computing, to share some investors with the better-known Israeli company.
Like NSO Group, Kandiru sells its tools to governments.
Unlike NSO Group, whose Pegasus software is designed for use against phones, Kandiru's software principally affects desktop computers.
Reuters reports that Facebook, now formerly known since its rebranding as Meta,
tracked a Pakistan-based group, Sidecopy, that sought to bring Afghans connected to the former government under surveillance
as that government collapsed during this summer's Taliban takeover.
Facebook's head of cyber espionage investigations, Mike Dvilyansky, told Reuters,
It's always difficult for us to speculate as to the end goal of the threat actor.
We don't know exactly who was compromised or what the end result of that was, end quote. In any case, Facebook ejected side copy accounts from its platform in August
and published a report on the group's activity yesterday. Side copy, which is believed to be
operated by or on behalf of the Pakistan government, has been mostly associated with espionage operations against Indian targets.
Security firm Flashpoint has observed that the Ramp ransomware forum is back,
but that it includes a lot of Chinese-speaking participants. It's not clear what they're up to.
Does it represent a serious criminal outreach, maybe even a serious privateering outreach to Chinese actors?
Or is it misdirection of the kind Flashpoint discerned earlier this month in Groove,
apparently intended to simply darken counsel? Flashpoint's conclusion acknowledges the
difficulty of sorting out the motivations, quote, while it is possible that Russian-speaking
ransomware operators may be seeking alliances outside of Russia,
cooperative cybersecurity talks with the U.S. are currently underway,
it remains unclear whether ramp efforts to woo Chinese-speaking threat actors are in fact legitimate or simply a smokescreen.
In late October 2021, the Groove ransomware gang called on other ransomware operators to jointly attack U.S. entities. Once
this generated media attention, the operator of Groove's public blog claimed that it was a media
hack. It's certainly possible that Ramp's overture to Chinese-speaking threat actors
is part of a similar strategy. End quote. And finally, not content with goofing on the FBI and other grown-ups like security researcher Vinny Troia,
hacker PomPomPourin is offering the low-grade content of the Robinhood stock trading platform for sale,
Security Week reports.
The big 5 million figure quoted is for the most part simply user emails.
About 310 had more data stolen, but even theirs fell short of fulls,
including, as they did, name, date of birth, and zip code. It's not clear whether Pompompurin
has the goods, inconclusive Security Week sources say, nor is it clear how valuable
those goods would be in any case.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The use of fuzzing by security researchers and software developers is growing
as teams find innovative ways to apply the technique.
I checked in with Matt Keeley, security analyst at Bishop Fox,
to get a better understanding of what exactly fuzzing is and how best to use it.
In essence, fuzzing is a technique that was originally developed by
security researchers, but now is starting to get more into the hands on the software development
side. But what it allows you to do is to perform black box analysis on a given program. And some
of these programs can be things like binaries, network protocols, web applications, any of that jazz.
And so where does the fuzz and fuzzing come from?
So the fuzz and fuzzing is more of the input that you're sending to the program.
So what the fuzzer will do is it will take and generate a lot of arbitrary inputs and then sort of throw things at the wall or at the program until something sticks.
So the goal of fuzzing is to try to make the program act in a
way that the program normally wouldn't act in. And it does that by fuzzing. The fuzz is the
arbitrary inputs that it's sending to the fuzzer, and then the fuzzer will send it to the programmer
to the application. So while it's doing its thing in an automated way, it's logging the results,
and then if something interesting happens, that gets reported back?
There's two types of fuzzers.
There's dumb fuzzers and there's smart fuzzers.
And so the dumb fuzzers don't necessarily know what the output of the program is.
So if it sends something to the program, it doesn't necessarily know if the program is crashed or not, which is why it's called a dumb fuzzer.
if the program is crashed or not,
which is why it's called a dumb fuzzer.
But a smart fuzzer, essentially,
it can record the data that's sent and it can record the output that,
or it essentially records events
that happen on the server side of things as well.
And then it uses that data to create new test cases.
You know, just as an aside,
I think I'm going to start using that
as an insult and a compliment.
You know, that guy is one dumb fuzzer.
Oh boy, that is a smart guy.
Boy, talk about a smart fuzzer.
Wow.
So where do we find ourselves today
in terms of the state of the art
and how people are applying this in the security realm?
So in the security realm, where I see it the most
is it's more being developed now into the development pipeline.
So DevOps is using this to sort of do a fuzz as you commit to the GitHub repos.
So every time you commit to your GitHub repo, the fuzzer that's developed with the harness,
essentially what the harness does is it gives you a little more flexibility and allows you to specify exactly what you want to fuzz but it's being integrated there so every time you commit
code to your database they're running the fuzzers in that aspect something pretty recent new that's
come out as well as the doe is actually doing fuzzing but for simulations doe is in department
of energy so they're fuzzing their critical infrastructure to
see, essentially, if we give you a scenario, so a power line goes down, a squirrel eats a cable,
there's an earthquake in California. Given that scenario, they fuzz their critical infrastructure
with the scenarios in mind. And then using a simulated process, essentially they see how that reacts after the fuzzer has sent the input in.
Are there any potential pitfalls here?
Any shortcomings when it comes to implementing these sorts of things?
It's not a, you know, it doesn't always find everything,
and that's sort of the state of security in itself.
It tends to throw things at the wall, but one of the state of security in itself. It tends to throw
things at the wall, but one of the big downfalls with fuzzing is the code coverage that it can get.
So it doesn't necessarily get full code coverage of the application, meaning you can't sometimes
hit some of the really intricate functions inside of a program just because of the way that the
fuzzer is set up. That's kind of where harnesses come in, though.
So harnesses take away that problem in some aspect,
but it does require human intervention.
I see.
So does the harness sort of allow you to specifically target
what you want the fuzzing to be turned loose on?
Yeah, absolutely.
It sort of bridges the gap between how the fuzzing to be turned loose on? Yeah, absolutely.
It sort of bridges the gap between how the fuzzer expects that input to occur
and how it actually occurs.
So in your experience,
the people who are successful at implementing this,
are there any common threads there,
things that the successful people are doing?
Not particularly.
I think the biggest success is people actually implementing fuzzing into their pipelines,
whereas running the fuzzer once in a blue moon or once a year type deal
doesn't work as well as you think it would.
But if you're continuously running it on every commit, on every push,
you tend to find a lot better results in that aspect.
That's Matt Keeley from Bishop Fox.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, always great to have you back on the show.
You know, I really wanted to touch base with you today about the Conti ransomware group. And recently they had a little leak well, they had a little leak, didn't they?
Yeah, they did, Dave. And thanks for having me back on the show. This is a really interesting
topic that I think will help the listenership better understand ransomware operations.
As many of the folks know, Conti has been around since about June of 2020. And in this particular instance, our CTI analysts observed that a member of the group,
just to show kind of the displeasure, essentially, of how the Conti administrators reward their affiliates,
again, an alleged member, leaked manuals and procedures that the ransomware gang shares with the new joiners of their group.
that the ransomware gang shares with the new joiners of their group.
Yeah, no, it's kind of neat because this leak actually offered some rare insight into the current methodologies that the group employs.
And our team did a complete breakdown of this playbook
and really solidified a lot of our thoughts around the complexity of the criminal ecosystem.
But now defenders can use this playbook to really support
detection and tracking a future ransomware operation. So what were some of the things
that the leak revealed? Yeah, now keep in mind that this is a criminal organization.
Right, no honor among thieves. Yeah, but it's interesting to draw some parallels between normal security practitioners, right?
So the leak really helped shed light on not only the operations
and the organized structure that a new process,
so a new hire essentially goes through
and demonstrating their skill and capabilities.
And one of the fascinating things to me was that much like,
you know, white hat security professionals, the Conti playbook highlights that really there's this huge importance on continuous learning and sharing, especially around like cybersecurity certification material of the members, which I thought was, you know, fascinating.
Like, I mean, it's continuous learning is important for the good guys and the bad guys.
Right.
I mean, continuous learning is important for the good guys and the bad guys, right? And the playbook really also confirms how operators of really any technical skill set shift from this notion of malware authoring to really quickly into the acquisition of more aggressive and impactful capabilities that are really focused on compromising the internal and external network infrastructure, really with the ultimate
objective to quickly exfiltrate data.
It's fascinating to me how we seem to see a continued professionalization of this and
even specialization that different folks are taking on different parts of these tasks.
Yeah, it's exactly true.
And I think that just speaks,
you know, to the profession at large, right? And as you have folks that are transitioning out of,
you know, intelligence community and defense organizations that, you know, might be drawn
into criminal gangs, we're probably going to continue to see this. But maybe one of the
biggest takeaways, you know takeaways for me was first
that this is really making tracking and attribution
a lot more difficult for folks that are,
especially folks that are focused on cyber crime research,
because there's just a tremendous amount of partnership
and collaboration now.
And as you mentioned, specialization across these groups.
And it's almost like tracking different
business entities rather than you know threat groups but i will say a really positive thing
and and this is one thing i want to make sure that kind of we foot stomp here is that you know
you can adapt this playbook to to really kind of your hunt operations right to really specifically
look for pre-ransomware TTPs and get a notion of
the types of attacks and tactics that are revealed in this playbook, because they're absolutely
almost identical to other notable big game ransomware hunting operations that we've seen.
Yeah. No, it's a fascinating look inside the organization. Josh Ray, thanks so much for joining us.
Thanks, Dave. Really appreciate it.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.