CyberWire Daily - CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming. Updates on Volt Typhoon. Legion malware upgraded for the cloud. Natural-disaster-themed online fraud.
Episode Date: May 26, 2023CosmicEnergy is OT and ICS malware from Russia, maybe for red teaming, maybe for attack. Updates on Volt Typhoon, China’s battlespace preparation in Guam and elsewhere. In the criminal underworld, L...egion malware has been upgraded for the cloud. Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. And Atlantic hurricane season officially opens next week: time to batten down those digital hatches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/102 Selected reading. COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant) People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory) Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft) China hits back at 'the empire of hacking' over Five Eyes US cyber attack claims (ABC) Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker (Cado) Legion Malware Upgraded to Target SSH Servers and AWS Credentials (Hacker News) CISA Warns of Hurricane/Typhoon-Related Scams (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cosmic Energy is OT and ICS malware from Russia,
maybe for red teaming, maybe for attack.
Updates on Volt Typhoon,
China's battle space preparation in Guam and elsewhere.
In the criminal underworld,
Legion malware has been upgraded for the cloud.
Johannes Ulrich from SANS examines time gaps in logging.
Our guest is Kevin Kirkwood from LogRhythm
with a look at extortion attempts
and ransomware. And Atlantic hurricane season officially opens next week. Time to batten down
those digital hatches. I'm Dave Bittner with your CyberWire Intel briefing for Friday, May 26, 2023. Researchers at Mandiant have discovered a new malware designed to disrupt electricity supply and critical infrastructure.
Called Cosmic Energy, the malware specializes in affecting operational technology and industrial control systems
by interacting with devices such as remote terminal units
that are commonly leveraged in electric transmission
and distribution operations in Europe, the Middle East, and Asia. Cosmic Energy was uploaded to a
public malware scanning utility in 2021 by a user in Russia. The version obtained by Mandiant lacks
a built-in discovery capability, which means that a user would have to manually identify the IPs of MSSQL servers,
MSSQL credentials, and target IEC 104 information object addresses. Attribution is inconclusive,
but researchers suggest that this malware could have been a Russian red-teaming tool
used in exercises to simulate an electric infrastructure attack.
tool used in exercises to simulate an electric infrastructure attack.
Cosmic energy was found on VirusTotal, of all places, which seems a curious place for a threat actor to park malware, but in truth it's happened before.
The researchers explain that it is possible that this malware was developed as a red-teaming
tool for Rostelecom Solar, a Russian cybersecurity firm.
Mandiant has not been able to attribute this malware to any nation state.
They write,
Although we have not identified sufficient evidence to determine the origin or purpose of cosmic energy,
we believe that the malware was possibly developed by either Rostelecom Solar
or an associated party to recreate real attack scenarios against energy grid assets.
It is possible that the malware was used to support exercises such as the ones hosted by Ross Telecom Solar in 2021,
in collaboration with the Russian Ministry of Energy, or in 2022 for the St. Petersburg International Economic Forum.
They add that it is equally possible that this was created by another actor,
as there is a lack of conclusive evidence. And of course, even legitimate red-teaming tools can be
put to malign purposes. They are, after all, inherently dual-use items. Cosmic energy hasn't
been observed in attacks so far, either in Ukraine or elsewhere, but the possibility of its offensive use can't be ignored.
Beijing's official position on the Five Eyes joint advisory concerning China's Volt Typhoon
cyber espionage campaign against U.S. targets, mostly located in Guam, is that the whole affair
is American disinformation, with the connivance of Australia, Canada, New Zealand,
and the United Kingdom, and with amplification by private sector stooges. In this case, again,
in Beijing's view, Microsoft. In full disclosure, Microsoft is a Cyber Wire partner, but even if
they weren't, we would strongly dissent from any characterization of them as stooges. ABC quotes Mao Ning,
spokesperson for China's foreign ministry,
as saying,
obviously this is a collective disinformation campaign
by the United States
to mobilize the Five Eyes countries
for geopolitical purposes.
She derided the report as extremely unprofessional,
marked by a serious lack of evidence,
adding,
the U.S. side should immediately give an account of the cyber attack instead of spreading false
information to divert attention, a familiar complaint by authoritarian regimes confronting
reports of their conduct. She concluded, as we all know, the Five Eyes is the world's largest
intelligence organization and the NSA is the world's largest hacker organization, and it is ironic that they have joined forces to issue disinformation reports.
We don't know. That advisory seemed pretty professional to us and chock full of pretty specific evidence, but as the kids say, read the whole thing and see what you think.
the whole thing and see what you think. Legion, a commercial malware tool, has been upgraded to target Amazon Web Services, from which it extracts credentials for authentication over SSH.
Cato Security released a report on the threat emphasizing the progression towards exploiting
more cloud services and that each version does a bit better. That's better from the crook's perspective,
which of course from our perspective means worse. Regarding the SSH credential harvesting being
observed, Cato researchers write, essentially the malware hunts for environment variable files in
misconfigured web servers running PHP frameworks such as Laravel, Legion attempts to access these.env files by enumerating the target
server with a list of hard-coded paths in which these environment variable files typically reside.
If these paths are publicly accessible due to misconfigurations, the files are saved and a
series of regular expressions are run over their contents. Legion's developers also apparently enabled a previously
dormant tool to import a Python library called Paramiko, which is an implementation of the SSHv2
protocol, which allows them to exploit SSH servers. Hacker News reports that Legion is known for its
use of Telegram as an avenue of exfiltration and sending spam messages to
dynamically generated U.S. mobile numbers by making use of the stolen SMTP credentials.
Matt Muir, a Cato Labs researcher, explains that the tool mainly exploits misconfigurations
in web applications and so recommends that developers and administrators of web applications regularly review access to resources within the applications themselves
and seek alternatives to storing secrets in environment files.
The Atlantic hurricane season formally opens on June 1st,
and the U.S. Cybersecurity and Infrastructure Security Agency warns
that scammers can be expected, as usual,
to take advantage of people's natural concern to induce them to bite on various scams.
CISA says,
Social engineering tactics, techniques, and procedures include phishing attacks that use email or malicious websites
to solicit personal information by posing as a trustworthy organization, notably as charities providing relief.
Exercise caution in handling emails with hurricane or typhoon-related subject lines,
attachments, or hyperlinks to avoid compromise.
In addition, be wary of social media pleas, texts, or door-to-door solicitations
related to severe weather events.
The same goes for typhoons, and the Pacific typhoon season is already underway.
Hurricanes and typhoons are bad enough
without an augmentation of fraud.
And finally, this weekend marks the U.S. federal holiday
of Memorial Day, observed on Monday.
We won't be publishing on Memorial Day,
but we'll be back as usual on Tuesday.
We invite you all to join us in
remembering those who've sacrificed for their country, and in our hopes that this troubled world
may see some peace.
Coming up after the break, Johannes Ulrich from SANS examines time gaps in logging.
Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Kevin Kirkwood is Deputy CISO at SIM platform provider LogRhythm. I spoke with him about the evolving threat of ransomware and data extortion.
If you look seven or eight years ago, a ransomware event was literally somebody coming in and figuring out a way to have you click on a link or do something odd like respond to an email.
And it would take you to a point where it would start encrypting everything in your backend system.
Anything that looked like a Word doc
or a Microsoft product.
Cool note, it's also anything connected
to the system that you're working on,
like Dropbox as an example,
it encrypts everything in there too.
So that's kind of the fun piece, right?
But long story short, it's evolved over time.
And as you're looking at what's happened in the space, they pick their targets better.
They pick targets that are known payers.
Somebody that comes in and has had a ransomware event, didn't learn the lesson, and they figure out ways to get in there and cause them pain again.
didn't learn the lesson, and they figure out ways to get in there and cause them pain again.
So it is also about getting to the point where you're driving ransomware into a situation where it's not so much about encrypting anymore either. It's becoming something where they look at it and
say, okay, so I'm going to obfuscate the data or I'm going to corrupt the data, frankly.
say, okay, so I'm going to obfuscate the data or I'm going to corrupt the data, frankly.
And that means that if your backup system doesn't work, isn't clean, isn't correct,
you have no choice. You're basically going to pay to get the data back. And so what they do is they've taken it to the next level. They've come in, they've stolen your data, they corrupt it in
place, or they encrypt it in place still in some cases,
they basically tell you, hey, listen, the only way to get this back is I have a copy or I have a key.
And once they get to that point, they can come in and say, if you don't pay, we'll just flip it out into the wild,
and you'll want to keep us from doing that as well.
So that's the second layer of the attack.
A third layer actually might be if they're looking at the environment that you're in
and you've got a huge number of systems, you've got a big sprawl of data,
they're going to find something that's remote and distinct
and drop in something that will allow them to come back in a back door at some level.
So that's almost like a third layer of attack.
Once they get you paying, they'll keep you paying as long as they can.
What are the options that organizations have to counter this?
This is where we find ourselves.
What can folks do?
Well, there's a couple of pretty basic things.
I mean, the backup situation hasn't changed.
You absolutely have to have good backups.
You have to practice your backups. You need to have, you know, a training system in place so that
folks know that what a phishing attempt is, what it means when you have a phishing attack.
And that's typically one of the ways where the problem gets started. People get
phished. They click on a link. They click on something. They provide credentials. They do
something that's beyond the pale of normal operations. And if you don't have the training
in place, you don't keep them constantly aware that this is occurring, people have a tendency to forget. And one misstep can
ruin a whole lot of days for a company. And so it's things like that. Then, of course, on top
of that, your ransomware is typically some kind of malicious file, a malicious program. And so as long as they haven't updated the core code,
a lot of the cyber vendors, malware vendors, or malware detection facilities will actually come
back in and provide you a solution to that. So you keep your malware signatures up to date, and your system should detect it and keep it from happening.
Now, that doesn't mean that the attacker can't get fancy, recompile his malicious code, drop it into a new name in a new area, and have it become a new zero day for the attack.
for the attack. Long story short, they need to get in, they need to be able to figure out ways to detect and automate the sending of the data. And so looking at your backup systems, looking at your
files as they transfer are things that you need to be thinking about on a fairly regular basis.
You know, you suddenly see a large link or a large blob of data leaving the organization, get suspicious.
If it's a backup, get suspicious even more and figure out ways that you can keep an eye on this.
NDRs are out there.
Network detection and response routines are out there.
And these can help you identify where there's a problem and could allow you to
actually stop an attack from happening. User and entity behavioral analytics can also help
significantly, right? So these are things where somebody does something that's unique, elevates
credentials, does something that, you know, is not normal behavior for them. They traverse into a new area
and where they shouldn't be. That's something you can put a stamp on and say, yep, that's bad
practice. We're going to stop that. So it's things like that. I mean, there's a lot of tools in place
to help people, but it takes a coordinated, precise strategy and tactical approach to solve this problem.
If you're not thinking through ransomware at the right level, you're not driving to detect and respond at the right level, you're potentially toast.
I think that's really the trick, right?
I mean, there is a good bit of complexity here. And so I'm curious for your insights on what's the best way for organizations to go about
prioritizing the time, the resources that they have to kind of dial in what best fits
their particular threat model.
It's also about who they are as an entity, right?
So if you're a mom and pop shop and you don't think of yourself as a
target, you're probably thinking wrong. If you're a mid-sized company and you have some level of
security in place and a security posture in place that makes sense, make sure that you're thinking
through, you know, what's the worst thing that could happen? What's your worst day? And ransomware
could be that worst day. As an example, there was a security company here recently, I think it was 2020 or 2021,
that actually got attacked, got their data exposed. They exfiltrated about 700 megabytes of
data. And as a security company, that's almost a game killer, right? How do you make sure that
that doesn't occur to you?
And so it's things like that that you need to be well aware of and head of. Healthcare companies,
another great target. They typically have a limited response plan in place. They probably don't spend a lot of money and time on security, and the hackers know that. And so they'll come in, they'll spot a potential target,
they'll look at that organization, they'll figure out who the players are, and they will begin their
spear phishing routines and get themselves into your system. And so it's about how do you make
sure that you've got the right people in place to help you think through this, the right IT components in place to help you recover should this occur?
Folks that are ready to react and respond very quickly.
Then systems that basically can help you with the detection and response that will basically stop the attack in its tracks if you can figure it out.
That's Kevin Kirkwood from LogRhythm.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to welcome you back.
You know, people complain about their logs,
the firehose of information that is contained in their logs.
But you make the point that sometimes the absence of logs can be a key indicator that
perhaps something is awry.
Yes, Dave.
That's certainly one of those things that as a SOC analyst, you come into work and,
hey, no alerts today.
Easy day.
Let's get some more coffee and let's go take an early lunch and such.
But the log volume is actually a very important indicator.
I remember one of the very, very early hacking groups I tracked back in the 90s,
they called themselves the lumberjacks,
because the first thing they did was they cut down all the logs.
the lumberjacks, because the first thing they did was they cut down all the logs.
But one standard thing that hackers are doing is to disable logging, or at least to reduce logging. And that's something to be aware of. So you definitely have to have some mechanism in place
to alert you if the log volume is suspiciously low.
The tricky part here is that log volume often fluctuates a lot during the day.
You have things like brute force attacks or denial of service attacks that can all of
a sudden create a very high log volume.
And so it can be a little bit difficult to sort of establish a proper lower
and sort of a floor in your logging
that will alert you of basically not having enough logs.
Some way to possibly make this a little bit easier
and more accurate is to establish this log floor
for individual log sources
and also of average volumes that you're expecting for these sources establish this log floor for individual log sources.
And also of average volumes that you're expecting for these sources.
Because not all sources are as volatile as, for example, failed login attempts.
Is this an application, dare I say, for some machine learning or artificial intelligence?
Everything is better with machine learning these learning. No, certainly it is.
But there are actually some simpler things that you can do,
some Fourier transforms or such,
where you are just looking at, a lot of this is cyclic,
where you have more logs during business hours
than off business hours.
So you tend to have these seven-day, 24-hour
type of cycles in your log volume.
You have sometimes processes that kick off at certain times that create a lot of logs.
Once you're identifying some of that and reduce some of this,
you can certainly get a better idea of what normal is in your log volume.
But for large amounts of logs and such,
very diverse logs,
something like machine learning
certainly would be a good application here.
I'm reminded of all those movies,
spy movies and such,
where there's a security camera
and somebody needs to get into a building.
So rather than having the feed
from the security camera go dark,
they'll cut in their own feed that just shows an empty hallway or something like that.
Have we seen threat actors do that with logs where rather than just disabling logging, they just sort of fill it with benign information?
I haven't come across that yet.
So maybe I want to cut this out to not give anybody here any ideas.
Okay, fair enough.
Wouldn't be surprised if someone has done that,
but can't remember if anybody has sent benign logs or replayed logs.
Maybe sometimes in the packet space, but not really.
I don't really see that being used as an attack.
But yeah, interesting idea.
Yeah.
All right.
Well, Johannes Ulrich, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Thank you. with Himaja Mathuram and Emily Austin from Census. They're sharing their research.
Months after first go-anywhere MFT zero-day attacks,
Census still sees about 180 public admin panels.
That's Research Saturday. Check it out.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic
Workforce Intelligence optimizes the value of your biggest investment, your people. We make
you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was
produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music
by Elliot Peltzman. The show was written by John Petrick. Our executive editor is Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.