CyberWire Daily - Criminal evolutions, disgruntled insiders, and gangsta wannabes. New wiper attacks hit Ukrainian targets, with less effect than the first rounds early last year. And support your local hacktivist?
Episode Date: January 30, 2023Gootloader's evolution. Yandex source code leaked (and Yandex blames a rogue insider). New GRU wiper malware is active against Ukraine. Latvia reports cyberattacks by Gamaredon. Russia and the US trad...e accusations of malign cyber activity. A hacktivist auxiliary's social support system. Deepen Desai from Zscaler describes the Lilithbot malware. Rick Howard looks at chaotic simians. And wannabes can be a nuisance, too: LockBit impersonators are seen operating in northern Europe. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/19 Selected reading. Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations (Mandiant) Yandex denies hack, blames source code leak on former employee (BleepingComputer) Hackers use new SwiftSlicer wiper to destroy Windows domains (BleepingComputer) Sandworm APT targets Ukraine with new SwiftSlicer wiper (Security Affairs) Ukraine: Sandworm hackers hit news agency with 5 data wipers (BleepingComputer) Ukraine Links Media Center Attack to Russian Intelligence (BankInfoSecurity) Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group (The Record from Recorded Future News) Russia knows US recruits hackers, trains Ukrainian IT-army — Deputy Foreign Minister (TASS) Taking down the Hive ransomware gang. (CyberWire) US puts a $10m bounty on Hive while Russia shuts down access (Register) Exploring Killnet’s Social Circles (Radware) Copycat Criminals mimicking Lockbit gang in northern Europe (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Gootloader's evolution.
Yandex source code has been leaked and Yandex blames a rogue insider.
New GRU wiper malware is active against Ukraine.
Latvia reports cyber attacks by Gamerodon. Russia and the U.S. trade accusations of malign cyber activity.
A hacktivist auxiliary's social support system.
Deepin Desai from Zscaler describes the Lilith bot malware. Rick Howard looks at chaotic simians. And wannabes can be
a nuisance too. Lockbit impersonators are seen operating in northern Europe.
From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 30th, 2023. Mandiant has published a report outlining notable changes to the GOOTloader malware over the course of 2022. The researchers say these changes include the use of
multiple variations of the phone launch launcher, the distribution of new follow-on payloads,
and changes to the Gootloader downloader and infection chain,
including the introduction of Gootloader.PowerShell.
The malware is also using new techniques for obfuscation.
Gootloader is distributed via malicious business-related documents
hosted on compromised websites,
and defenders should be on the lookout for fresh campaigns.
Source code belonging to Yandex, the Russian search engine giant, was leaked online.
The leak doesn't appear to contain any customer data, bleeping computer rights,
and Yandex says the incident was an insider breach, not the result
of an external attack. The files were stolen last July, and a former Yandex executive speculates
that the motivation for the leak was political. In any case, the hackers responsible don't appear
to have tried to sell the code. Security firm ESET says a new strain of wiper malware they're calling SwiftSlicer has
been deployed against Ukrainian networks. ESET Research tweeted, on January 25th, ESET Research
discovered a new cyber attack in Ukraine. Attackers deployed a new wiper we named SwiftSlicer
using Active Directory Group Policy. The SwiftSlicer wiper is written in Go programming
language. We attribute this attack to Sandworm. The Sandworm group is operated by Russia's GRU,
and SwiftSlicer represents a successor to Hermetic Wiper and Caddy Wiper, both of which the Russian
service had deployed against Ukraine in the early phases of the invasion.
Hermetic Wiper was identified in February 2022 during the opening days of the invasion.
Caddy Wiper was observed the following month.
ESET has not identified the organization or organizations affected by Swift Slicer.
The Ukrainian Computer Emergency Response Team, CERT-UA, on Friday reported
identifying five distinct strains of wiper malware in the networks of the Ukrinform news outlet.
The strains and the systems affected were Caddywiper, ZeroWipe, and S-Delete, all affecting
Windows, AwfulShred, which is effective against Linux systems,
and BidSwipe, which is used against FreeBSD.
The Russian hacktivist group Cyber Army of Russia Reborn
claimed credit in its Telegram channel for the infestations.
Bleeping Computer says that two of the strains,
ZeroWipe and BidSwiipe, represent either novel malware or,
if they're existing, known strains. They're being tracked under unfamiliar names by CERT-UA.
The Gamerodon APT seems to have tried a phishing attack against Latvia's Ministry of Defense last
week. The record reports that Latvian officials said the attempts were unsuccessful. The apparent
motive is said to have been counter-espionage. The group is also known as Primitive Bear
and widely believed to be operated out of occupied Sevastopol by Russia's FSB.
TASS quotes Russia's deputy foreign minister as saying that the U.S. has been responsible for recruiting and training members of Ukraine's auxiliary IT army, a hacktivist group active against Russian targets.
On Friday, Roskomnador, Russia's Internet agency, blocked Russia's access to the U.S. FBI and CIA sites, Interfax reports.
sites, Interfax reports. They're run, Raskobnador says, by a hostile country, and they aim at destabilizing the social and political situation in the Russian Federation.
Blocked along with the FBI and CIA is the U.S. State Department's Rewards for Justice site,
which offers a bounty for information on four categories of malign activity,
terrorism, foreign election interference of malign activity,
terrorism, foreign election interference, malicious cyber activity, and finally, and simply, North Korea.
Thursday, shortly after the U.S. Justice Department announced the international operation that disrupted the Hive ransomware gang, Rewards for Justice tweeted the following offer,
If you have information that links Hive or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government,
send us your tip via our Tor tip line.
You could be eligible for a reward.
That is, to gloss the offer, we're looking at you, Russia.
Hive is a Russian criminal ransomware operation,
and like most Russian gangs, it has connections with Russia's security and intelligence organs.
Information tying Hive to the Russian government could qualify for an award of up to a cool
$10 million. A comrade could retire on that, couldn't they? Military auxiliaries exist within a social
context that provides both moral and sometimes even financial support. Consider benign examples
that will be familiar to readers in the U.S., like the Civil Air Patrol and the Coast Guard
Auxiliary. They function as civic organizations in a civil society, at least as much as they operate as auxiliaries of the Air Force and the Coast Guard.
The same seems to be true to a limited extent with hacktivist organizations
serving as security and intelligence service auxiliaries.
Radware describes the support system that's grown up around Russia's Killnet group,
stating,
It's not common for analysts to have the opportunity
to study the social circles of criminal organizations,
but occasionally a group emerges that is more transparent than others.
Examining a criminal organization's social presence
can give analysts valuable insights into the structure
and operations of the organization,
as well as the relationships and connections between its members and the community around them.
Killnet is the sort of group that lends itself to such analysis, and Radware describes three
organizations that have been prominent in their support of the hacktivist mission.
First, Infinity Music, a music label whose star rapper, Kaze Oboima, has published a song called
Killnet Flow, anonymous diss. This isn't financial support, rather it's support in the form of bad
boy street cred. As if you know Kaze Oboima, you know he's always been official. Second,
Hooligan Z Jewelry, a Moscow-based designer of street-inspired jewelry,
is selling Killnet-branded drip. And it's worth noting, in passing, how much both Infinity Music
and Hooligan Z Jewelry owe to American pop culture. Their street cred is derivative,
and that's something the Kremlin can't be entirely comfortable with.
and that's something the Kremlin can't be entirely comfortable with.
Third, Solaris Marketplace, and here we're on more familiar ground.
Solaris is a darknet criminal marketplace,
and it's made financial contributions to Killnet.
Radware concludes, From financial contributions to active participation in illegal activities
to passive support through art and entertainment,
the social circles of Kill Net demonstrate the complexity of criminal organizations' relationships,
connections, and structure.
And, we might add, the seductive power of American popular culture.
Not that that's a good thing or a bad thing. It's just a thing.
And finally, Security Affairs reported Saturday
that the LockBit locker malware has been seen in use
targeting small and mid-sized businesses in Northern Europe.
Though this malware is primarily operated by a group bearing the same name,
these attacks don't appear to originate from the gang.
Rather, they seem to be the work of copycat actors
who procured a leaked version of the gang's malware. One instance targeting a Belgian
company was observed in which a swath of internal files was encrypted by the faux
lock-bit offenders. Fortunately, the company was able to resume normal operations after
restoring their network from a backup, though the damage that can be wrought, even by unseasoned, unaffiliated wannabes,
as Security Affairs affectionately calls the operators, remains considerable.
Coming up after the break, Deepin Desai from Zscaler describes the Lilithbot malware,
and Rick Howard looks at chaotic simians.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's chief analyst and also our chief security officer.
Rick, it is always my pleasure to welcome you back.
Hey, Dave.
So over on our CyberWire Slack channels this week,
you have been talking about this thing called chaos engineering.
I'm slightly familiar with that term, but I'll admit I don't know a whole lot about it.
What are we talking about here, Rick?
So, it's a phrase that describes a disruptive and some would say radical idea in the area of cybersecurity resilience.
Well, if I'm remembering correctly, resilience is one of your key first principle strategies, right?
Yeah, that's right. And while we've been watching that lane of research
for the past couple of years,
we noticed that a handful of Silicon Valley tech giants
have been using this technique since the late 2000s
to ensure that their worldwide system of systems
never goes down.
So what makes chaos engineering so radical?
Well, these chaos engineers run experiments
on their production systems, and that's engineers run experiments on their production systems,
and that's the key phrase, their production systems. They're designed to discover systemic weaknesses in their system design, and that's a really fancy way to say that they intentionally
destroy, I guess they would say they seriously degrade it, but pieces of their production network
to observe if their deployed resilience systems
handled the situation the way they designed it to. My recollection of this is that it was kind
of made famous by the folks over at Netflix a couple of years ago. Didn't they have,
it was a software module they called Chaos Monkey? Yeah, I love that name, right? So,
in these days, Netflix has deployed an entire suite of these chaos engineering resilience tools, something they call the Simeon Army.
How cool is that?
And they have really cool names like Latency Monkey and Conformity Monkey and Doctor Monkey, just in 83.
King Kong.
I know.
That's what comes to mind when I thought about it, too.
That's what comes to mind when I thought about it, too.
Yeah.
So, in this week's CSO Perspective podcast over on the CyberWire Pro side, we talk about the history of chaos engineering and how this is an advanced technique that maybe not everybody should use. But if you're a large Fortune 500 company or maybe even a gigantic government institution that absolutely has to keep your systems running 24 by 7, then this is probably
a technique you should consider. All right. Well, that is over on the pro side. So, what do you have
for us over on the public side? For the public side, we unvault those old episodes from the
CSO Perspective Archive. And this week's show is a Rick DeToolman episode from May of 2022
about how single sign-on works.
Now, if I remember correctly, single sign-on is a key component to identity and authorization management, right?
Yep, that's right, and which makes it a key tactic to consider for implementing your zero
trust first principle strategy.
So, in this show, we explain how single sign-on standards like OAuth, and that stands for open authentication,
and SAML for security assertion markup language, how they all work together,
and how you might use them to benefit your own enterprise.
Well, before I let you go, what is the phrase this week for your Word Notes podcast?
This week's word is NIST for the U.S. National Institute of Standards and Technology.
And did you know, Dave, here's the trivia question for you, that the authority to create the NIST back in 1901 when it was called the National Standards Bureau was taken from Article I, Section 8 of the United States Constitution.
Wow. All right.
Well, there's some schoolhouse rock I can get behind.
Absolutely.
All right.
Well, Rick Howard is the CyberWire's chief security officer
and also our chief analyst.
Thanks so much for joining us.
Thanks, Dick. And I'm pleased to be joined once again by Deepan Desai.
He is Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, it's always a pleasure to welcome you back to the show.
I want to talk to you today about the LilithBot malware, which I know is
something you and your colleagues have had an eye on lately. What can you share with us today?
Thank you, Dave. So LilithBot is a multifunction malware family that the team discovered through
our cloud security platform. And this is something that we flagged in our sandbox environment.
And once we saw the payload, we started analyzing it
and the team was quickly able to associate this
with a Russian gesture group.
It's also known as Eternity Group,
which runs by the project Eternity Project.
And it has been active since January 2022, so fairly new.
But one of the key highlights over here is this group has been known to use
as a service subscription model to distribute several types of payload.
Lilitbot is just one of them on the underground forums.
Can you run us through the things that they're offering?
They offer a wide variety of
malware, starting with InfoStealers, which is
what we're talking about right now. It may have additional
functionalities like coin mining,
full-blown bot CNC modules,
ransomware, worm droppers.
So something that allows the threat actor
to propagate within the environment as well.
And then it also goes on the destructive side
of the house where they're able to support
and distribute DDoS bots.
So it's really kind of one-stop shopping
for folks who are out looking for this sort of stuff.
Absolutely.
Yeah.
What are we talking about here in terms of cost?
Is this an expensive provider
or are these things comparatively affordable?
Yeah, so they basically have a subscription model.
It's basically a malware-as-a-service membership fee
is what the threat actors will be paying here.
And what you're paying for is these type of groups
that run the malware-as-a-service model
has already incorporated all kinds of
advanced checks like anti-debugging, anti-VM. They will already have figured out how to securely
perform CNC communication, how to offer buying purchase platforms and things like that. So if you're someone new on the horizon,
you could basically pick one of these payloads up.
And honestly, it raises your malware's ability
to evade detection significantly
because you're already relying on someone
that has done all the work for you.
Well, let's talk about the detection side then.
How easy are these tools to detect and what are your recommendations for people to do so?
Yeah, so these type of tools, so Lilpot in particular,
what we saw was it was using various types of fields like license key, encoding key, global UID, which is encrypted via AES, and it decrypts itself at runtime.
It steals information.
It uploads itself as a zip file. So all the stolen information from the system gets zipped up
and then it's sent to the remote command and control server.
So when you think about detection,
the very first component that plays a very important role
in flagging these type of evolving,
continuously changing payloads
is your cloud sandboxing solution.
Having the ability to detonate the payload
and observe the behavior
and use that to flag the file as malicious
plays a very important role over here.
If you rely just on static signature-based approach,
the part that I mentioned earlier,
malware as a service,
they have some of these things already automated.
So they're able to get around those static detections.
So sandbox, very, very important to flag and block
that initial payload from entering your environment.
The second aspect that you should always prepare for,
what if my endpoint were to get compromised by this
for whatever reason, right?
And that's where the CNC communication
and the data exfil comes into play.
So over there, you need to have ability to inspect TLS
encrypted traffic, perform DLP inspection,
and then apply your CNC detection as well, where the goal is to block
the communication from happening between the compromised endpoint and the attacker-controlled
infrastructure. All right. Well, good guidance as always. Deepan Desai, thanks for joining us. necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Er Urban and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.