CyberWire Daily - Cyber skirmishing as Russia redeploys in Ukraine. Spyware in senior EC official’s device. Sharkbot-infested apps ejected from Google Play. Advice from CISA.
Episode Date: April 11, 2022US National Security Advisor says atrocities were part of Russia's plan. Russian commanders seek to keep troops away from dangerous sections of the Internet. Cyberattacks in Finland may be a shot acro...ss Helsinki's bow. CERT-UA warns of a phishing campaign. Hacktivists hit Russian organizations. Mixed reviews for US preemptive measures against GRU botnets. Sharkbot-infested apps ejected from Google Play. Johannes Ullrich from SANS on malicious ISO files embedded in HTML. Our guest is Neal Dennis from Cyware on threat intel sharing with members of Auto-ISAC. What you should do when your Shields are Up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/69 Selected reading. Russia Shuffles Command in Ukraine as Thousands Flee the East (New York Times) Sullivan: Intel indicates plan from ‘highest levels’ of Russian government to target civilians (The Hill) Russian soldiers banned from social media as ‘uncomfortable truths’ drain their morale (The Telegraph) West Seeks to Pierce Russia’s Digital Iron Curtain (Foreign Policy) YouTube blocks Russian parliament channel, drawing ire from officials (Reuters) U.S. quietly paying millions to send Starlink terminals to Ukraine, contrary to SpaceX claims (Washington Post) Hackers use Conti's leaked ransomware to attack Russian companies (BleepingComputer) Державна служба спеціального зв’язку та захисту інформації України (GUR) How Russia's Invasion Triggered a US Crackdown on Its Hackers (Wired) The U.S. Opens a Risky New Front in Cyberdefense (Bloomberg) Meet the 1,300 librarians racing to back up Ukraine’s digital archives (Washington Post) The Race to Save Posts That May Prove Russian War Crimes (Wired) Exclusive: Senior EU officials were targeted with Israeli spyware (Reuters) SharkBot Android Malware Continues Popping Up on Google Play (SecurityWeek) SharkBot Banking Trojan spreads through fake AV apps on Google Play (Security Affairs) Sharing Cyber Event Information: Observe, Act, Report (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russian commanders seek to keep troops away from dangerous sections of the Internet.
Cyber attacks in Finland may be a shot across Helsinki's bow.
CERT-UA warns of a phishing campaign.
Hacktivists hit Russian organizations.
Mixed reviews for U.S. preemptive measures against GRU botnets.
Sharkbot-infested apps have been ejected from Google Play.
Johannes Ulrich from SANS on malicious ISO files embedded in HTML.
Our guest is Neil Dennis from Cyware on thread intel sharing with members of the AutoISAC
and what you should do when your shields are up.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 11th, 2022. Ukraine's military intelligence service has posted a file to its Facebook account
that purports to be a Russian document complaining Ukrainian online attempts
to influence on historical memory and manipulate opinions
and to distribute false information about events and the situation on the ground.
If the document is genuine and the
telegraph hasn't yet been able to authenticate it, it would also provide more evidence of
disaffection and poor morale in the ranks. According to the document, commanders of all
ranks and a number of units have faced opposition from personnel expressing dissatisfaction with
the conduct of the special military operation in Ukraine.
The main source of such information are from the Internet.
The troops' Internet use also presents, according to the posted document,
an OPSEC challenge that the Russian army intends to address.
They say, in light of this, the Ministry of Defense,
in conjunction with colleagues at the Center for Information Countermeasures,
has decided to create an interagency commission for working with personnel on the Internet,
increase control of personnel and monitoring of changes in their moral-psychological conditions.
Reuters reports that Duma TV, the streaming service run by Russia's parliament, has been removed from YouTube, which cited a violation of YouTube's
terms of service as grounds for the expulsion. Google said in an email to Reuters,
if we find that an account violates our terms of service, we take appropriate action.
This frames the expulsion as a matter of compliance with applicable law,
including sanctions against Russia. On Friday, as Ukrainian President Zelensky
addressed Finland's parliament, Bloomberg reports that websites operated by Finland's
foreign and defense ministries were disrupted by a distributed denial-of-service attack.
The attack was over quickly, in about an hour, and while its timing suggests a Russian operation,
Security Affairs says that Helsinki did not immediately attribute the attack to Russia.
Their Ministry of Defense is investigating.
Russia's war against Ukraine has made NATO membership attractive to some neutral European states,
notably Finland and Sweden,
both of whom NATO Secretary General Stoltenberg said last week would be welcome in the alliance.
Ukraine's CERT has warned that a fishing campaign by the Armageddon threat group is targeting Ukrainian public authorities.
The fish bait used is ironic but compelling, a document purporting to report Russian atrocities. The file has the lengthy and bureaucratic-sounding title
Armageddon is also known as Actinium, Gamerodon, and Primitive Bear,
and thought to represent a unit of Russia's FSB.
primitive bear and thought to represent a unit of Russia's FSB. The anonymous associated group that styles itself Network Battalion 65 or NB-65 has deployed compromised Conti ransomware code
against Russian organizations. Leaping Computer reports that the group is using the first leaked
version of Conti ransomware. The group said in a statement that their expanded ransomware campaign
is a direct reprisal for Russian atrocities at Bukha.
Quote,
After Bukha, we elected to target certain companies that may be civilian-owned
but still would have an impact on Russia's ability to operate normally.
The Russian popular support for Putin's war crimes is overwhelming.
From the very beginning, we made it clear. We're supporting Ukraine. We will honor our word.
When Russia ceases all hostilities in Ukraine and ends this ridiculous war,
NB-65 will stop attacking Russian internet-facing assets and companies. Until then, f*** them.
Russian internet-facing assets and companies.
Until then, f*** them.
We will not be hitting any targets outside of Russia.
Groups like Conti and Sandworm, along with other Russian APTs,
have been hitting the West for years with ransomware,
supply chain hits, solar winds, or defense contractors.
We figured it was time for them to deal with that themselves. A Bloomberg op-ed notes that last week's U.S. disabling of GRU command and control
over malware deployed to corporate networks,
while welcome as an aggressive defensive measure,
and while covered by U.S. federal warrants,
was nonetheless a risky move precisely because of its aggressive quality.
The operation involved entering corporate networks without their owner's knowledge or cooperation.
The piece argues,
What's remarkable about this operation is the decision to surreptitiously enter companies' computer networks.
It's one thing to have the police show up to your house when you aren't at home to investigate and detain an intruder.
It's another thing entirely to cart away the intruder and never tell you about it.
While U.S. allies might not mind, corporations, both foreign and domestic, could be forgiven
for being alarmed at the prospect of U.S. authorities secretly rummaging around in their
computers hunting for malware, even if it's for a good cause.
in their computers hunting for malware, even if it's for a good cause.
One concern is that such actions could erode the public-private cooperation generally seen as essential to effective whole-of-nation defense
against nation-state cyberattacks.
In what amounts to a massive backup effort, librarians are working to preserve
digital records of cultural or historical importance to Ukraine, the Washington Post reports.
Other digital archives are likely to prove important in the event war crime charges are brought against Russian invaders and their commanders.
Wired describes the work of an attorney in Ukraine who's archiving social media posts that recount Russian atrocities in territories they fought over or occupied.
A Reuters exclusive reports that senior European Union officials were targeted by an unknown actor
using spyware thought to have been developed by one of two Israeli vendors.
DDA Rendier, since 2019 European Justice Commissioner,
is the most prominent official believed to have been affected.
A small number of staffers at the European Commission are also said to have been affected.
The exploit used to deploy the spyware is thought to have been forced entry.
NSO Group denies that its products would have been capable of the exploitation reported.
products would have been capable of the exploitation reported.
The other vendor, Quadream, which is said to offer a virtually identical product,
did not comment to Reuters.
Recent sharkbot Trojan infestations tracked by Checkpoint researchers and earlier noted by NCC Group as representing a new-generation Android banking Trojan
have been found in Android antivirus apps distributed through Google Play.
Security Affairs reports that Sharkbot's code employs a geofencing feature
to prevent it from executing in China, India, Romania, Russia, Ukraine, and Belarus.
Google has removed the malicious apps.
What should you be doing when your shields are up?
Well, if you see something, say something.
During the current shields-up condition,
the U.S. Cybersecurity and Infrastructure Security Agency
has released a brief crib sheet on how organizations
should observe, act, and report when they undergo a cyber incident.
The kinds of activities CISA would like you to be alert for
includes unauthorized access to your system,
denial of service attacks that last more than 12 hours,
malicious code on your systems, including variants if known,
targeted and repeated scans against services on your systems,
repeated attempts to gain unauthorized access to your system,
email or mobile messages associated with phishing attempts or successes,
and finally, ransomware against critical infrastructure.
The emphasis is definitely on reporting.
And finally, we end on a sad note today.
Our sincerest condolences go out to Scope Security,
who lost their founder and CEO last week. Michael Murray
passed away on April 6th. May his family, friends, and colleagues find consolation in their grief.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Information sharing and analysis centers, better known as ISACs,
are generally considered a success story in the security world,
enabling members of industry verticals to collaborate and share relevant information on emerging threats.
Neil Dennis is a senior threat intelligence specialist at Cyware, and he and his team have been instrumental in partnering with the Auto ISAC
to help share actionable intelligence for the automotive community.
ISACs are what are called information sharing and analysis centers.
They are kind of a legal conglomeration of sector-specific communities. This kind of came
about in the 90s with some legislation around some fun things for information sharing and
collaboration, right? So FS, ISAC being the old dogs in the room, and then several others come
out. But very industry-specific, vertical-specific.
In this case, with auto ISAC, it can include things from the companies up in Detroit, like Dodge, GMC, so on and so forth,
all the way down to the manufacturers producing spark plugs and floor mats, if you want to.
But if you're in the auto industry as a whole doing something for the
auto industry, you now have this sharing facilitator for you for cybersecurity and other things as well.
Yeah, one of the things that strikes me about ISACs is that it's a way for folks who may be
competitors to collaborate on this common task of making a safer community.
Yes, yeah.
I love this.
So I've worked in an ISAC prior many years back,
and I think that was one of the fun things to see just in general, to your point.
On paper, at the stock market, wherever we're at, we're competitors, obviously.
We want to make the best product for whatever it is that we have,
best car, best truck, best spark plug, whatever it may be.
But when it comes down to cybersecurity, people have really started to understand that this isn't a solo act. This isn't meant to be my company versus your company. People understand
that if we're able to stop a threat at company A, we're also hopefully able to stop it at B, C,
and D. And so this is very much all about community involvement,
non-competitive nature, people coming together to make the security environment a much better place,
thankfully. Where do you suppose this is going? I mean, it seems to me like ISACs have been
established and there's general consensus that they're a good thing. What's the next level here? Where do you suspect we're headed? ISACs have already
had the opportunities to really share with each other, like the ISAC analyst to analyst, right?
So I think the next step is really solidifying that effort. I see this a little bit in some of
the communities there that I talk with where the analyst at Health ISAC, the analyst at Auto ISAC, or wherever,
at Pick an ISAC, they're all starting to come together on a regular basis. They're all starting
to show the impact of community from their own side and not just trying to get their members
to get involved, right? So I think that's kind of step one. Their own interactions are bearing
fruit. They're showing through action, not through words alone, what it means to do this and what it means to get involved in a community gathering like this.
And I think that's where they're going. information sharing need to be more focused on automation and more focused on machine-enabled
information sharing to get out in front of whatever threats may be there. And whether
they're as simple as an IP address or as more complicated as trying to share TTPs and actual
threat actor information, all of that needs to eventually find its way into a more machine-enabled sharing mentality with the human coming in to
discuss, you know, kind of more after actions and the insights around all that when they can, right?
That's Neil Dennis from SciWare.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Johannes Ulrich. He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, always great to welcome you
back to the show. Interesting thing you and your colleagues have had an eye on. You've been seeing
some small ISO files that have been embedded in HTML pages. What's going on here? Now, when you're
thinking about ISO files, you're usually thinking about DVDs, CDs, so fairly massive files. But really all an ISO file is, it's a file system represented as one file.
So they can get relatively small.
What we have seen is we had malicious emails that were HTML emails, so nothing really that exciting.
But inside there were links that redirected your browser to a page that then
ran JavaScript. Again, nothing really that special. And this JavaScript then dynamically created an
ISO file using a base64 encoded string that was embedded in the HTML. The size here was tens of kilobytes, so nothing really that large as far
as HTML pages go. Most HTML pages are larger than that, but it bypasses a lot of protections that
you may have in place. Yeah, I mean, do most systems regard an ISO file as being fairly benign?
Exactly. That's first of all, they regard regard is benign, so you just download the file
and it now shows up as a disk image, just like
any other ISO file would, on your system that you can mount
by just double-clicking it. Then you have access to these files.
What gets interesting is your operating system,
if you have a Mac or Windows, it will add what's called a mark
of the web to content that you downloaded from the internet on windows this mark of the web is
applied only if you're using the ntfs file system because you need to have actually a way to sort of
store this metadata with the file.
But now you have an ISO file that you opened.
That ISO file has another file system on it.
So any file inside that ISO files, they will be considered safe and local.
So your system doesn't necessarily realize that these files were downloaded from the
internet.
Your system doesn't necessarily realize that these files were downloaded from the internet.
You may have heard, I think this week, Microsoft announced that they will disable macros for a large part. And of course, macros are one of the main ways how malicious code runs on systems.
If you're loading a file from an ISO file like this, like if this ISO file contains an Excel spreadsheet,
this mark of the web won't be applied
and this new security feature won't be applied to those files.
So I'm pretty sure that whoever is behind Emotet
or whatever it is these days is paying attention here
and listening and is going to send you ISO files next.
So how can we protect against this?
Should we be flagging ISO files in general?
You probably should flag ISO files.
The hard thing is you wouldn't want to detect them
in the download process.
And that's difficult here
with all the JavaScript obfuscation that's happening
on the system itself you definitely want to monitor what's happening with iso files
there are benign iso files of course that you have to deal with but probably less so on your normal
office worker workstation on a home home system, yeah, ISO files,
and you often deal with them
when you're dealing with movie downloads and such.
So it may be difficult to really distinguish
a malicious one from a benign one.
Yeah.
All right.
Well, interesting for sure.
Johannes Ulrich, thanks for joining us.
Sure. Johannes Ulrich, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.