CyberWire Daily - Cybercriminals favor cyberespionage in North Korea, Russia, and parts unknown. Movements and activity in the cyber underworld.
Episode Date: May 24, 2023Kimsuky's tailored reconnaissance tools. GoldenJackal is an APT quietly active since 2019. Criminals target Youtube viewers with free cracked software. Rheinmetall’s data was posted to BlackBasta'...s extortion site. The "Cuba" gang claims credit for the attack on the Philadelphia Inquirer. CERT-UA identifies a probable Russian cyberespionage campaign. Ireland views cyber assistance to Ukraine as a contribution to collective security. Ann Johnson from Afternoon Cyber Tea speaks with Tyrance Billingsley about Black Tech. Our guest is Oz Alashe from CybSafe on raising VC money amidst a down economy. And KillNet's underperforming hacktivists. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/100 Selected reading. Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit (SentinelOne) North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (The Hacker News) Meet the GoldenJackal APT group. Don’t expect any howls (Kaspersky) Follina — a Microsoft Office code execution vulnerability (DoublePulsar) YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, Laplas Clipper, XMRig Miner (FortiGuard Labs) Arms maker Rheinmetall confirms BlackBasta ransomware attack (Bleeping Computer) Inquirer and forensics team investigating computer disruptions to publishing (Philadelphia Inquirer) Cuba ransomware claims cyberattack on Philadelphia Inquirer (Bleeping Computer) Espionage activity UAC-0063 in relation to Ukraine, Kazakhstan, Kyrgyzstan, Mongolia, Israel, India (CERT-UA#6549) (CERT-UA) Ukraine Identifies Central Asian Cyberespionage Campaign (BankInfoSecurity) Ireland’s cyber security agency has been providing ‘non-lethal aid’ to Ukraine (Irish Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Kim Suki's tailored reconnaissance tools.
Golden Jackal is an APT quietly active since 2019.
Criminals target YouTube viewers with free cracked software.
Ryan Mattal's data was posted to Black Basta's extortion site.
The Cuba gang claims credit for the attack on the Philadelphia Inquirer.
CERT-UA identifies a probable Russian cyber
espionage campaign. Ireland
views cyber assistance to Ukraine
as a contribution to collective security.
Anne Johnson from Afternoon
Cyber Tea speaks with
Tyrance Billingsley about black tech.
Our guest is Oz Alashe
from CybSafe on raising
VC money amidst a down economy
and Killnet's underperforming
hacktivists.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, May 24th, 2023.
Sentinel-1 has observed North Korea's KimSok-hee using advanced reconnaissance malware. A new piece of custom malware in use by the hackers, Random Query, has the single objective of file enumeration and
information exfiltration. Other observed Random Query variants in the wild are much different,
having a broader array of capabilities that usually includes keylogging and further malware execution features.
The tool is prominent in Kim Sook-hee's arsenal and is commonly distributed through phishing attacks.
In the present wave of attacks, the hackers claim to be the chief executive of Daily NK,
a well-known news organization based out of Seoul that reports on North Korean affairs.
news organization based out of Seoul that reports on North Korean affairs. The Hacker News writes that the gang sends a Microsoft compiled HTML help file, which, if opened, executes a visual
basic script that eventually retrieves a second stage payload, a VB script flavor of random query.
The malware goes on to harvest system data and transmits them back to the threat actor's C2 server.
The outlet reports that the lifted data include system metadata, running processes, installed applications, and files from different folders.
Kim Sook-hee is a North Korean advanced persistent threat that's operated since 2012 and is based in North Korea.
that's operated since 2012 and is based in North Korea.
The gang has been seen targeting human rights activists,
defector support organizations, and news services.
The Golden Jackal APT is a newly described threat actor that's been in operation since 2019.
Kaspersky explains that the group specializes
in long-term infection and information collection
against targets in South Asia and the Middle East.
The hackers were seen using fake Skype installers and malicious Word documents in 2020.
The other known infection vector, the researchers explain,
was a malicious document that uses the remote template injection technique
to download a malicious HTML page, which exploits
the Folina vulnerability. The group sports a custom toolkit designed for collection, pivoting,
and persistence. Kaspersky, as usual, offers no attribution. They do, however, note inconclusive
circumstantial similarities between Golden Jackal and Turla, a generally Russian intelligence
service-associated threat actor. Kaspersky attributes the group's low profile to its
low victim count and discriminating targeting. FortiGuard Labs reports on a continuing campaign
against YouTube viewers that exploits hijacked YouTube channels with high subscriber counts. The attackers upload
videos that show how to acquire free cracked programs like Adobe Acrobat. Viewers who click
links in the video to the cracked software are prompted to download a password-protected archive
which is bloated with over one gigabyte of useless files. FortiGuard explains that this is a technique commonly used
to bypass antivirus and sandboxes
that do not scan files beyond a specific size
due to limited CPU and RAM resources.
The archive contains an InfoStealer,
a crypto wallet clipper,
a crypto miner installer with various miner controllers,
and a fake cracked software downloader.
In general, users take a significant risk
when attempting to download free software from non-vendor sources.
In this case, a user who had a crypto wallet
could lose more money than if they purchased the software legitimately.
Experts recommend not clicking suspicious links advertising free products.
Black Basta, recently seen in action against Swiss-based technology company ABB,
continues to show a predilection for attacks against industrial firms.
The double-extortion ransomware gang published data stolen from German Steel Defense System
and automotive manufacturer Rheinmetall on Black
Basta's extortion site this past Saturday. According to Bleeping Computer, samples on the
site included non-disclosure agreements, technical schematics, passport scans, and purchase orders.
Rheinmetall confirmed that it had indeed come under attack by the Russian criminal organization,
which was detected in mid-April. The company notes that the attack only affects the group's civilian business.
Due to the strictly separated IT infrastructure within the group,
Ryan Mattel's military business is not affected by the attack.
The cyber attack the Philadelphia Inquirer sustained at mid-month may now be attributed to a specific criminal group.
The Cuba ransomware gang has claimed responsibility.
The Inquirer closely held the information behind the attack it sustained, disclosing few details.
The paper's operations were significantly disrupted, and outsiders speculated that the paper was being extorted by cyber criminals.
Yesterday, bleeping computer reports, those suspicions received some confirmation.
The Cuba ransomware group on May 23 posted data stolen from the inquirer on Cuba's extortion portal.
The files, which Cuba says it obtained on May 12, are said to include financial documents,
correspondence with bank employees, account
movements, balance sheets, tax documents, compensation, and source code. The gang is
unaffiliated with the government or nation of Cuba. Rather, it's a Russian government-directed
criminal and espionage organization. Ukraine's CERT reports that an apparent Russian cyber
espionage campaign has succeeded in compromising accounts belonging to the embassy of Tajikistan.
The threat actors, whom Ukraine tracks as UAC0063, have used those accounts in a phishing campaign designed to install a keylogger, a backdoor, and a file stealer in targeted devices.
and a file stealer in targeted devices.
In addition to Ukraine, the campaign has affected organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.
BankInfo Security writes that the campaign bears some similarities to past operations by Fancy Bear, Russia's GRU.
The Irish Times says that Ireland has been rendering significant cybersecurity support to Ukraine during Russia's war,
and that Dublin regards that assistance as a contribution to collective security.
And finally, Killnet founder Kill Milk announced today that he's dismissing the core roster of the gang because its 50 constituent groups with their 1,250 members
aren't participating in hacktivism, or at least not enough. So they're all fired. He added that
when Killnet returns, if it does, it will be with a whole new roster. Killmilk will be working alone
until he rebuilds the group. He says he'll begin drafting a new roster tomorrow. So spare a
thought for your local hacktivist auxiliary. It's so hard to find good help nowadays.
Coming up after the break, Anne Johnson from Afternoon Cyber Tea speaks with Tyrance Billingsley about black tech.
Our guest is Oz Alashe from CybSafe on raising VC money amidst a down economy.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Oz Alashe is CEO and founder of SciSafe, a British software as a service company and provider of a platform that helps businesses reduce cyber risk. Among the many awards and accolades Oz Alashe has received is the MBE, member of the most excellent order of the British Empire.
most excellent order of the British Empire. Our conversation centers on the state of VC funding for cybersecurity in uncertain financial times, and specifically how that might affect black
entrepreneurs. Most VCs out there want great ideas that are likely to deliver real value into the
market and of course real value back to shareholders and investors and so any black founder who is
looking for VC money will need to be able to demonstrate that they have that and the reason
that I guess we're talking about it is because there is no shortage of information that suggests
that you know quite often many of the people that they will be pitching to many of the organizations
that they will be attempting to present their ideas and their teams to won't necessarily look like them, maybe won't necessarily even understand the same context, circumstance and experience that
they've had. And therefore, they'll be less likely to raise money. The stats tell that story.
My experience has been wholly positive. You know, I've never really had a conversation with a VC
that wasn't unpleasant, or at least wasn't any more unpleasant than I think it's supposed to be
sometimes, is the truth. But what is very, very true is that Black founders will need to be really clear
about how their opportunity is going to deliver return and value. And they can't take for granted
that people will necessarily understand where they're coming from, especially if they don't
necessarily come from the same places and backgrounds that many of the other founders
that the VCs look at will have come from.
It's a really interesting point.
And I think, you know, over the past couple of years,
we've seen certainly an emphasis on the importance of diversity in cybersecurity,
the importance of diversity in thought,
that people from different backgrounds bring different approaches to problem solving.
How does that play into where we find ourselves today? People from different backgrounds bring different approaches to problem solving.
How does that play into where we find ourselves today, to the reality of that situation? Can it be a help? Is it a hindrance? Is it neutral? What's your insight there?
In my experience, I think it should absolutely be a help.
The cybersecurity industry is extremely problem-focused.
You know, the cybersecurity industry is extremely problem focused. And we all exist as security professionals to address challenges that really come about because of the intersection between people and technology and the future, the things that we're trying to do as a society with technology, the things that individuals are trying to do, solving problems. And so the challenge that we've got as security professionals is really making sure that we can address those problems and address those challenges and face into that future, given everything the adversary wants to do, with the biggest range of minds that we can possibly apply
to these challenges. So you can't really do that if you don't have a diverse group of people.
And a diverse group of people tends to come from a range of different backgrounds, a range of
different places. And so diversity of mind and thought is important, as is diversity of ethnicity, as is diversity of gender, as is diversity of
socioeconomic group. All of these things bring different backgrounds. And so what we see today,
I believe, is an increasingly diverse landscape, but it needs to happen faster because the problem
set isn't going away. The challenges are only increasing and we need even more brilliant minds applying
themselves to these challenges. Do you suppose it's fair to say, or is it overstating it, that a
black entrepreneur coming into a meeting like this may have to be more prepared than someone else?
I don't think it's unfair to say that. As a black man myself,
and a black founder myself, and indeed having had a few other, or indeed at least one other career
before this as well, the reality is that unfortunately sometimes we face prejudice.
We face people who either wittingly or unwittingly expect certain things because of what they see in front
of them, rather than actually listening to what is being said, or indeed actually maybe even
seeing past what is in front of them. And so with that in mind, I do think it's right that
Black founders do need to be doubly prepared. That's not to say that everybody they're speaking
to is either racist or indeed doesn't want them to succeed. It's just simply to say that actually you can't take that for granted. Unfortunately, prejudice, as a male necessarily fully compared to, for
example, some of my female founders. The same is true with non-black founders and black founders.
And so they do need to turn up more prepared, more prepared to ensure that actually the good idea
that hopefully is as good as an idea as anybody else's is going to be heard, is going to be
understood, and is going to get the opportunity
that it needs to succeed. What's your advice for folks who are in this situation, you know,
looking around the room and not seeing very many people who look like them? Do you have any words
of wisdom? I don't know that they would be words of wisdom, Dave. I'm not entirely sure that I am
the wisest person, but I would happily share my thoughts and indeed my experiences as well.
I guess my first recommendation
is to not be fazed by it.
The reality is that
if you are an entrepreneur
or wanting to be an entrepreneur
and a founder of a company
that is going to do something
really quite spectacular
as far as impacting the world is concerned,
then being in a room full of people
who don't look like you
should not knock you off your stride. It's not ideal, it's not what we would seek, but it is the reality of the world
today and actually it doesn't necessarily need to be a bad thing. There are so many good VCs and
investors out there who really only care about the problem that's to be solved and the opportunity
in the market. So don't be phased by it, would be maybe one bit of advice I would give by people go do your best, be your best and help
these people understand why you truly are going to change something spectacular. The other thing I
would say is to maybe speak to other people who are in the same situation as you, that's a founders,
regardless of background, you know, ultimately the more that you can hear and learn about the
experience of raising money, the more it's going to feel less alien to you. And that
in itself is going to help. But the other thing I would say is bear in mind that ultimately,
what you are doing is selling an idea, yourself and your team. And of course, ideally your business,
you know, depending on what stage you're at, you already have a business, you're already generating
revenue. And indeed, you already have customers.
And all of those things need to be presented well.
And it doesn't matter what color you are, if you present them badly, you're not going to go anywhere.
So again, I would just really focus on making the most of the opportunity rather than focusing too much on the disadvantages.
Ultimately, the disadvantages are not ideal, but they are absolutely surmountable.
That's Az Alashe, CEO and founder of SciSafe.
Microsoft's Anne Johnson is host of the afternoon Cyber Tea podcast right here on the Cyber Wire podcast network.
She recently spoke with Tyrance Billingsley about black tech. Here's part of their conversation.
And today we're going to talk about the power of community and the rebirth of Tulsa, Oklahoma, as a center for black leadership and cultivation of black potential.
Center for Black Leadership and Cultivation of Black Potential. I'm joined today by Tyrants Billingsley II, a born and raised Tulsa entrepreneur, ecosystem builder, and community
leader with a background in politics and community organizing. For the past three years, Tyrants has
been seeding the narrative of Black Wall Street as the world's premier Black innovation economy
through Black Tech Street, an organization where
he is the founder and executive director. Welcome to Afternoon Cyber TV, Sirens.
Thank you so much, Anne. It's a pleasure to be here.
So that brings us directly back to Black Tech Street. This is an organization initiative you
founded because you had that passion and you wanted to have that impact for your mission.
Tell us more about Black Tech Street. What was the purpose behind the organization and how actually did it come to be?
I'd love to understand the origin story. Absolutely. So being a born and raised
Tolson and a relative of Tulsa Race Massacre survivors, I had heard about the excellence
of Black Wall Street. It was deeply rooted in my identity. So I eventually ended up asking myself
a question where I said, what could Black Wall Street have been had it been supported and not destroyed?
And when I thought about the level of tenacity that it took for these entrepreneurs to build these incredible businesses during Jim Crow, the smashing through walls and the out of the box thinking, it showed a lot of parallels with the attitude you have to have to be successful in the tech industry.
And that's essentially led me to this kind of three-pronged epiphany. You know, one,
tech is one of the only industries in which you can build intergenerational wealth in seven to
10 years via successful company exit. Two, tech is the core medium through which all global
innovation is consistently taking place. And three, by the year 2030, there were projected
to be as many as 4.3 million
high-paying vacant tech jobs due to a tech talent shortage. So when I put all three of these things
together, I not only saw an incredible wealth-building opportunity for Black people,
I kind of saw the Black Wall Street vision push to a new horizon. So this led me to surmise,
had Black Wall Street been supported and not destroyed, it would be nothing other than the nation's premier Black tech ecosystem. So that's where
the name Black Tech Street comes from. And that's our mission, working to rebirth Black
Wall Street as a tech hub, but also kind of use Black Tech Street as this banner that catalyzes
a movement that sees Black people embrace tech as a means to build wealth and impact the world.
So community, one of the aspects of Black Tech Street that you emphasize is community,
and communities provide us with a sense of connection, a sense of support. And also,
we can build communities for learning where people have the ability to have resources that
are so critical. Why is community so important to Black Tech Street? And tell us a little about
the community that you have and you're building in Tulsa. Absolutely. So community is so critical to Black Tech Street because
community was critical to Black Wall Street. What made Black Wall Street successful were so many
different actors collaborating in ways that uplifted each other and they were able to fill
in each other's gaps. They were able to make up any lack that the other had by providing key
services. So community is critical to Black Tech Street because it's built on the foundation of that culture.
But also the Tulsa community and particularly the Black Tulsa community, we have a saying called, you know, what you do for me without me, you do to me.
And that essentially emphasizes that even if you're trying to help, even if you want to do something that's good for the community,
you have to do it alongside them.
You can't sit up in an ivory tower
or in some room and say,
we're going to think of something cool
to do for Black people,
but we're not going to involve them
in the process.
We're not going to have their fingerprints
all over the plan.
That's not how things get done
in the Greenwood community in Tulsa.
It's pretty core for us to be able to operate.
That's Anne Johnson from Afternoon Cyber Tea speaking with Tyrance Billingsley.
You can hear more of that conversation on the Afternoon Cyber Tea podcast.
You can find that wherever you get your podcasts. Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Heltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.