CyberWire Daily - Cobalt Mirage deploys Drokbk malware. Zombinder in the C2C market. Impersonation scams. CISA releases three new ICS advisories. And criminals prey on other criminals.
Episode Date: December 9, 2022Cobalt Mirage deploys Drokbk malware. Zombinder in the C2C market. Impersonation scams: that's not Ukraine’s Ministry of Digital Transformation. On the cyber front, nothing new. CISA releases three ...new ICS advisories. Caleb Barlow on attack surface management. Mike Hamilton from Critical Insight explains how state and local governments apply for the $1 billion allocated by the feds for cybersecurity funding. And criminals prey on other criminals. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/235 Selected reading. Drokbk Malware Uses GitHub as Dead Drop Resolver (Secureworks) Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers (ThreatFabric) Crypto Winter: Fraudsters Impersonate Ukraine’s Government to Steal NFTs and Cryptocurrency (DomainTools) Danish defence ministry says its websites hit by cyberattack (Reuters) Kela website hit by DoS attack (Yle) Advantech iView (CISA) AVEVA InTouch Access Anywhere (CISA) Rockwell Automation Logix controllers (CISA) The scammers who scam scammers on cybercrime forums: Part 1 (Sophos News) Cyber-criminals Scammed Each Other Out of Millions in 2022 (Infosecurity Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cobalt Mirage deploys drunk book malware,
Zumbinder in the C2C market,
impersonation scams
on the cyber front,
nothing new.
CISA releases three new
ICS advisories,
Caleb Barlow on attack
surface management,
Mike Hamilton from
Critical Insight explains
how state and local
governments apply for
the $1 billion allocated
by the feds for
cybersecurity funding,
and criminals prey on other criminals.
From the CyberWire studios and data tribe,
I'm Dave Bittner with your Cyberwire summary for friday december 9th 2022
secureworks counter threat unit researchers have been investigating the
droc book malware and they published their
findings this morning. The malware was found to be operated by a subgroup of Iran's government-sponsored
Cobalt Mirage threat group, which the researchers know as Cluster B. The Drakbook malware was
detected in use as early as February of this year, in that case during an intrusion targeting a local
U.S. government network. The Cobalt Mirage threat group appears to prioritize achieving remote
access via the Fast Reverse Proxy tool, while subgroup cluster A prefers a modified version
of the tool known as Tunnelfish. Cluster B prefers to leave the tool unmodified. Cluster B uses GitHub as a
dead drop resolver to locate its C2 infrastructure. GitHub allows for these threat actors to fly under
the radar more easily. SecureWorks principal researcher and thematic lead for research
focusing on Iran, Rafay Pilling, put it this way, the use of GitHub as a virtual dead drop
helps the malware blend in. All the traffic to GitHub is encrypted, meaning defensive technologies
can't see what is being passed back and forth. And because GitHub is a legitimate service,
it raises fewer questions. This technique is also interesting as it is unusual for Iranian malware
and represents a departure from past Iranian practice.
Threat Fabric researchers tracking Android banking Trojans have found a criminal service
Zombinder that offers to bind such Trojans to otherwise legitimate apps. The researchers say,
the latest campaign we identified while writing the blog involving Zombinder
was distributing Xenomorph banking Trojan under the guise of Vidmate application.
It's another offering being traded in the criminal-to-criminal market.
Threat Fabric draws some larger lessons from the incident,
stating,
modern threat landscape becomes more and more sophisticated,
where actors combine multiple approaches in malware development, distribution, operation,
as well as in performing fraud itself, involving multiple tactics at the same time.
New tools appear to make malware less suspicious or more trustworthy for victim,
which results in more successful fraud cases.
Moreover, targeting multiple platforms,
actors are able to reach wider audience
and steal more PII to utilize in further fraud.
Other criminal groups have made use of the Russian war against Ukraine
and the widespread sympathy for Ukraine that war
has aroused to mount impersonation campaigns designed to steal crypto assets. A great deal
of aid collected from people globally has been delivered to Ukraine in the form of cryptocurrency,
and criminals have taken note of the opportunity that presents them.
Domain Tools this morning provided an update
of their ongoing study of criminal scammers
who have sought to steal NFTs and cryptocurrency
from retail investors.
The researchers state,
Domain Tools observed and continues to track
a cryptocurrency scam campaign
impersonating Ukraine's Ministry of Digital Transformation
as part of a broader effort to steal non-fungible tokens and cryptocurrency from retail investors.
Using the ruse of funding urgently needed military equipment and humanitarian supplies
for Ukraine's defense against a Russian invasion,
a Twitter account began promoting two malicious look-alike domains
central to this fraudulent fundraising
campaign. These two domains share a host that offers pivots to several different types of
cryptocurrency scams likely operated by the same actor. In addition to showcasing cybercriminal
opportunism, this campaign helps illustrate broader themes related to the underlying social
engineering methods cybercriminals use to bypass a target's healthy skepticism for illegitimate purposes,
as well as the power of pivoting through internet infrastructure to identify and track malicious
activity. The good news, Domain Tools says, is that the relative quick exposure of the scams
has limited their effectiveness,
and the hoods appear to have turned to other impersonations and other forms of fish bait.
But continued wariness and skepticism remain in order.
If there's the prospect of making some quick altcoin,
the scammers won't hesitate to revert to saying that,
no, really, take it straight from us, friend.
The way to help suffering Ukraine is to click here.
Meanwhile, on the cyber front of Russia's hybrid war against Ukraine, there seems to be little new.
Low-level incidents have been reported in Finland and Denmark, but without attribution to Russia,
indeed, without attribution to anyone.
There's an a priori likelihood that the attacks may represent nuisance operations by Russian auxiliaries,
but that's at best circumstantial.
CISA yesterday released three industrial control system advisories.
Operators should consult the advisories for appropriate remediations and then read them and heed them. And finally, what happens when crooks rip off other crooks?
Big deal, right? Actually, it's interesting even if your sympathies, like ours, are entirely
against the hoods, the goons, the other assorted no-goodniks and predatory losers who cumber the internet.
So here's what Sophos researchers are telling everyone about this particular corner of the
underworld. It's a bigger business than we would have imagined. First, Sophos says,
it's big business, a sub-economy in itself. How big, you ask? Well, this big. Over the past year,
crooks have lost more than two and a half million U.S. dollars in just three criminal forums.
It's become such a problem that the forum administrators have established what they're calling arbitration rooms
where aggrieved crooks can seek redress of grievances against their fellow.
Second, while it's often about the money, that's not always the case. Chest beating, score
settling, scrambling for place in the criminal pecking order, all of these are just as common
as direct theft. Think of it as competition for underworld market share. Third, the scams being
run against the scammers aren't just the crude smash-and-grab stuff one might expect. Sophos says,
we saw referral cons, fake data leaks and tools, typo squatting, phishing, alt-rep scams, the use
of sock puppets to artificially inflate reputation scores, fake guarantors, blackmail, impersonated
accounts, and backdoored malware. And the victims look for payback. As the researchers put it, we even found instances where threat actors got revenge
by scamming the scammers who scammed them.
Fourth, some of the criminal-on-criminal crime is of long duration
and requires patience and extensive preparation.
There are, for example, what Sophos calls tentative links
between 19 scam sites targeting other criminals and one active dark web drug pusher.
So again, who cares?
Sophos thinks that anyone interested in threat intelligence about the workings of the cyber underworld should care.
They say that cyber criminals are often cagey users of good OPSEC, but being scammed
throws them off their game, and when they feel someone has done them wrong, they drop their guard
in those arbitration rooms and reveal more about themselves than they otherwise might.
So, Sophos concludes, this hidden sub-economy isn't just a curiosity. It gives us insights into forum culture,
how threat actors buy and sell, their tactical and strategic priorities, their rivals and alliances,
their susceptibility to deception, and specific discrete intelligence about them.
The researchers plan to follow up with further reports on this aspect of the
underworld over the coming weeks, and we'll be watching
with interest.
Coming up after the break, Caleb Barlow on attack surface management. Mike Hamilton from
Critical Insight explains how state and local governments apply for the $1 billion allocated
by the
feds for cybersecurity funding.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Bipartisan Infrastructure Improvement and Jobs Act. Mike Hamilton is CISO of cybersecurity firm
Critical Insight, and he's been working directly with state and local governments to apply for
their share of the money. Every state is going to do this a little differently, first of all.
What they want to do is have states establish committees, and those committees will be made up of state and local government officials, public health folks,
education folks. What that committee will do, they've been given a little bit of funding,
for example, Washington state, I think they have $3.7 million and that's to conduct a year
of planning. So the states are being funded to come up with a plan that looks broadly across the entire jurisdiction.
Step one is to construct the committee that's going to develop that plan.
And then local governments must consent to the state plan in order to receive funds for items, services, capabilities, activities, things like that.
And the plan has to hit specific elements and be measurable.
So in a nutshell, that's what we're looking at.
And like I say, states's what we're looking at. And
like I say, states are going to do this differently. They may have local governments
all assess themselves and come up with, here are my gaps that I need to be filled.
But because it is fairly prescriptive, the state is going to have to say, okay, as a state,
here's how we're all going to do this. And there's likely to be pushback from
certain places. Where do you suppose there'll be pushback? Well, so yesterday I was at a conference
in a state. And in speaking with the people there, they thought that this would not work well in
their state. In fact, I'll just say it's Idaho because kind of the center
of gravity in Idaho is Boise. And listening to Idahoans, Boise gets all the funding at the
expense of a lot of the other jurisdictions and they really don't like Boise. You know, I mean,
there's kind of this, you know, anti-government subcurrent running there. And so it's going to
be more difficult for Idaho, for example,
to have a consolidated plan. Here's how we're all going to do this. Some of them are just going to
tell them, pound sand. Wow. It also strikes me that obviously, you know, not every state is
created equal or of the same scale. I mean, California operates at a different level than,
say, North Dakota does.
How does this take into account that in terms of what they'll be willing to distribute, the various amounts? Yeah. So the funding is scaled to state population.
And so, for example, the small amount that's been allocated right now just for this year of planning,
you know, New Hampshire got a lot less than Washington State, for example.
Is this just a one-time funding opportunity,
or is there any expectation that this could become an ongoing thing?
I believe this billion dollars is to last four years, three or four years.
And I don't think there's anything after this.
So, and that raises an interesting question too, right?
Is sustainability.
And, you know, so for example, let's say that,
so we got to monitor all the networks, right?
At the network and user level,
that's one of the things embedded in here.
And because there are no human resources
to, you know, act as analysts out in some of these rural
places, managed services are the only way they're going to be able to do this, right? So the state
committee is going to have to take that into consideration. So you contract a managed service
for a three or four year duration of this grant, and then what? So there needs to be a then what
that comes after this. And is that going to fall on you know, is that going to fall on the state?
Is that going to fall on the locals?
I don't think we know.
No, I mean, it reminds me, you know, of a small community gets a grant to buy a new snowplow and that's great.
But now they got to maintain the snowplow.
Yeah, it's O&M, yeah.
Right, right.
What about the talent issue here?
I mean, having enough people and being able to, them what they need to align
with the NIST NICE framework,
which is all about education.
So, you know, it's like, you know,
one of these things is not like the others, right?
Use the National Initiative for Cybersecurity Education
Workforce Framework for Cybersecurity
developed by NIST.
There's a whole lot of Fed speak in this thing.
But so I think there is an opportunity there for novel
solutions. For example, I don't know if you and I, I think we've talked about the Pisces
project that we started, which is monitoring
small local governments for free in return for collecting data from those
networks and using it as live fire curriculum for universities.
And so we're going to be, you know,
speaking with state representatives all over the place because we can set that up in a state
that is more sustainable. And what it does is it creates the bench of the people that you need
going forward while you're providing this stopgap, you know, analyst service that's based on students.
So in a longer term, you term, that should move the needle.
It should increase the bench strength here in the United States.
Are there any opportunities with this for states to team up?
There's more of an opportunity to do this broadly across a single jurisdiction where
that jurisdiction is defined as the state. But
there is some wording in here about how states could get together. There's a matching, a funds
matching requirement in here. And to avoid the matching requirement, that's what they say. You
need to get together and do things en masse. And so there may be some states that try to
work across state lines together.
Which states are friendly with each other?
You know, I don't know how that's going to work out.
The Dakotas, the Carolinas, the Virginias.
New Hampshire and Vermont.
Right.
Right.
That's Mike Hamilton from Critical Insight.
There's a lot more to this conversation.
If you want to hear the full
interview, head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
And joining me once again is Caleb Barlow.
He is the founder and CEO at Silete.
Caleb, it's always great to have you back.
I want to touch today on attack surface management.
It's getting a lot of attention lately.
And I know you have some thoughts here.
What do you have to share with us today? Well, attack surface management is officially the new most overused term on the RSA show floor.
And that's an official stat.
Has it surpassed artificial intelligence and machine learning?
Oh, without a doubt. Without a doubt, right?
All right. Okay, fair enough.
And, you know, I think the point here is we need a little clarification with it.
So, first of all, this is an extremely important concept.
And the basic idea is, do you understand your attack surface, both
what's coming from your own data centers, but also what's in your cloud? And you really need
to understand that attack surface, both external to the world, as well as internal to the world.
You know, common scenario, let me pick on a hospital as an example, right?
Yeah. And, you know, in my prior company, we used to go do these assessments.
an example, right? And, you know, in my prior company, we used to go do these assessments.
You go in and the hospital will tell you, oh, well, we have 1,527 medical devices.
How do you know that? Well, that's what our system tells us we have. So we need you to go audit those. Okay, great. We go off, spend a week or two. We come back. Actually, you have 6,528 medical devices. And I'm not exaggerating on the ratio
here, right? Yeah. Yeah. And then you kind of have this, oh no, because what are they? Where are they?
What do they do? How do they get here? And, you know, a hospital is a great example of, you know,
kind of the world's worst scenario of BYOD because a lot of these things were plugged in by different medical
practices working in the hospital or, you know, a doctor gets a new medical device and they connect
to the Wi-Fi or whatever, right? You've got to understand your attack surface, both internally
and externally. Now, here's where the problem comes into play. There are fundamentally two
ways in which this is being done. So this involves identifying your IP space
and then scanning it, scanning it for ports,
scanning it for devices, scanning it for servers,
and trying to enumerate what those are and where they are.
Well, most of the companies out there today
are doing this from your logs,
meaning that their tool goes and taps into,
let's say, your SIM or Splunk or something like that,
and pulls those logs and says, hey, what is every IP address that I see?
In some cases, they take it to the next step, and they go and they scan kind of network traffic
and say, okay, what are all the IP addresses that seem to appear inside your network?
And those things are great, but the reality,
and you know, there's all kinds of great traffic lighting and pretty charts and reports.
But the problem with those approaches is that in theory, that's the stuff you should already
know about because it's already in your logs, right? What we're really after is the stuff you
didn't know was in your environment. And that's where you've really
got to look at tools that scan. And there are kind of two types of scanners out there. One that you
can kind of point at your IP space and say, scan this. And what you really want to be doing is
scanning it on a regular basis, because you're not just interested in the server that appears there
that, oh yeah, I forgot about that test server that, you know, we need to get that locked down.
You've also got to be scanning constantly for the cloud instance that got stood up or the server
that maybe got rebooted and when it rebooted, it was misconfigured, right? So the idea here is
you want to be constantly scanning
that attack surface to say, wait a second,
where did this new device
or this new cloud environment come from?
And was I expecting it?
You know, the other form of scanner are these tools,
you know, and they're kind of only two out there
that really do this at scale.
And that's, you know, Census and Shodan.
And they scan the entire internet space, right?
And those are very
valuable tools when you combine them with something like Maltego to go in and say, hey,
what am I connected to? What else is out there that I'm working with? And that's where attack
surface management really needs to head is not only what do I look like from, you know,
kind of an independent scanner looking at this?
But also, what's all that stuff connected to?
How do you keep this process from spinning out of control?
You know, because I'm thinking like a hospital, you know, something running at that scale.
There are constantly going to be things being plugged in and disconnected and a printer breaks and we buy a new printer.
And, you know, how do you keep from chasing your tail?
Well, if you're not organized, that's all you're doing.
And I remember oftentimes the feedback from clients would be, hey, we don't actually want to do this scan because we're going to find this stuff and then we're going to have to
deal with it.
And, you know, you're going to scratch your head and go, all right, that's probably not
the right answer.
But, you know, what you really should be doing is when a new device appears in the network, and there are lots of tools that will do this, before it gets
connectivity, you've got to fill out some forms and answer some questions, right? So more advanced
companies, if you bring a new tablet or a laptop in, the first thing that happens is that thing
can't go anywhere until you fill out the form. Who is it? Who owns it? What is it? And then now
all of a sudden you've got a registered asset,
right? And you know who to go to when it needs to be updated or patched or what have you.
So that's where you really want to head. But where I think this is headed as an industry is to look at a tax surface beyond just your company and start to look at a tax surface of
your suppliers and where things are connected, right? It know, it's one thing to say, hey, I've got, you know, I get services from supplier A,
and supplier B is my backup. Okay, you know, so I've got redundancy, which sounds great until you
find out that supplier A and supplier B both run out of the same data center on the same
infrastructure. And then you realize, actually, you have no redundancy at all. And that's the type of thing
that a lot of companies are really starting to look at is the critical aspects of their supply
chain. And this is where AI and ML come into play, right? If I know that this particular path of my supply chain is absolutely critical.
Where are their lack of redundancy, for lack of a better term,
in that path that I maybe didn't know about?
And a tax service will tell you that.
Or, hey, where are their huge vulnerabilities?
And does my supplier realize this?
And is this a case of not relying on self-attestation from your suppliers? Trust but verify?
A hundred percent, right? Now, well, actually, let me say that in two ways.
There are companies out there that do this without involvement of the company they're scanning.
And the reality with those scenarios, you know, these are often used by insurance companies for underwriting. It's really nearly impossible to get an accurate result because you've got so many false positives. I mean, I remember at a prior company, we had
many deception honeypots out there. And one of these companies would enumerate our honeypots
all over the place. Oh, you're this place. Oh, your security posture is terrible.
Look at all these vulnerabilities. We're just going to leave those vulnerabilities there.
Right, right. So there's a lot of
false positives in that space. But ideally, it's interactive.
But yeah, there is a bit of an aspect of trust but verify here.
Yeah. All right. Well, Caleb Barlow, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with A.J. Nash from ZeroFox. We're discussing the cybersecurity threats, including social engineering attacks surrounding the Qatar 2022 World Cup.
That's Research Saturday. Check it out.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe. That's Research Saturday. Check it out. Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.