CyberWire Daily - Cyberespionage from Tehran. Clopp ransomware operators exploit vulnerable SolarWinds instances. Mercenaries and lawful intercept vendors. Patch Tuesday.
Episode Date: November 10, 2021Tehran’s Lyceum group expands its activities against ISPs and telcos in Israel, Morocco, Tunisia, and Saudi Arabia. Clopp is going after unpatched instances of SolarWinds. Cyber mercenaries are quie...tly competing with lawful intercept vendors. NSO Group receives a setback from the US 9th Circuit. Mexico makes an arrest in its Pegasus investigation. Carole Theriault shares her thoughts on the supply chain. Josh Ray from Accenture Security on Moving Left of the Ransomware Boom. And notes on Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/217 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tehran's Lyceum Group expands its activities against ISPs and telcos.
CLOP is going after unpatched instances of solar winds.
Cyber mercenaries are quietly competing with lawful intercept vendors.
An SO group receives a setback from the U.S. Ninth Circuit.
Mexico makes an arrest in its Pegasus investigation.
Carol Terrio shares her thoughts on the supply chain.
Josh Ray from Accenture Security on moving left of the ransomware boom.
And notes on Patch Tuesday.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 10th, 2021.
Security researchers at Accenture and Prevalian describe the recent activities of the Iranian threat group Lyceum,
earlier tracked as Hexane by Kaspersky and as Siamese Kitten by Clear Sky. Lyceum's recent
activity has concentrated on installing back doors in ISPs and telecommunications companies
located in Israel, Morocco, Tunisia, and Saudi Arabia. An unnamed foreign ministry in Africa has also been targeted.
Prevalian summarizes the findings as follows,
quote,
At least two of the identified compromises are assessed to be ongoing
despite prior public disclosure of indicators of compromise.
Domain name system tunneling appears to be used
only during the early stages
of backdoor deployment. Subsequently, the Lyceum operators use the HTTPS command and control
functionality encoded in the backdoors. End quote. The current round of attacks on ISPs and
telecommunications providers represents, according to Accenture, an extension of Lyceum's interests.
The threat actor has continued to direct its attentions to the oil and gas sector
and what Accenture characterizes as sectors of strategic national importance.
Researchers at NCC Group report that the Klopp ransomware gang is increasing its exploitation of the Serv-U vulnerability,
that's CVE-2021-35211, to gain access to unpatched SolarWinds instances. Quote,
NCC Group strongly advises updating systems running SolarWinds Serv-U software to the most
recent version, at minimum version 15.2.3 HF2.
End quote.
The researchers also provide a description of the ways in which CLOP has hid unpatched SolarWinds instances
as a guide to checking whether an organization has suffered exploitation.
Forbes describes the activities of the Rocket Hack Russian criminal group,
which it characterizes as a cyber-mercenary operation
specializing in gaining access to targeted individuals'
Gmail, ProtonMail, and Telegram accounts.
Rocket Hack is described as occupying essentially the same space
as lawful intercept vendors like NSO Group.
A researcher at security firm Trend Micro
gained insight into Rocket Hack's
operation through an OPSEC failure on the part of the mercenary crew. A website used by Rocket Hack
to monitor its victims was left exposed and unsecured. It afforded the researchers an insight
into the group's operations. Forbes writes, quote, For the last four years, the Russian-speaking rocket hack crew
has quietly infiltrated email and telegram accounts, PCs, and Android phones of as many as
3,500 individuals. The targets range from journalists, human rights activists, and
politicians through to telecommunications engineers and IVF doctors across a few dozen clinics.
Many of the targets were either prominent politicians or government officials.
The countries affected were Belarus, Uzbekistan, Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France, and Italy.
Journalists were also targeted.
and Italy. Journalists were also targeted. The interest Rocket Hack showed in IVF clinics suggests that they were interested in a secondary market for sensitive personal information that
could be sold elsewhere. Forbes regards the discoveries about Rocket Hack as showing that
the arguably legal but controversial market for lawful intercept products. The market that's come to be represented by the NSO Group
has a clearly criminal counterpart
occupied by mercenaries like Rocket Hack.
And speaking of the NSO Group,
the company's effort to have a U.S. federal lawsuit against it set aside
have been rebuffed.
In a 3-0 decision rendered Monday,
the 9th U.S. Circuit Court of Appeals rejected NSO Group's movement to dismiss a suit brought by WhatsApp and Facebook.
According to Lawfare, WhatsApp alleges that NSO Group, quote, sent malware, that is the
Pegasus surveillance tool, through WhatsApp's server system to mobile devices, end quote.
through WhatsApp's server system to mobile devices.
End quote.
That suit will now proceed, and the Daily Beast writes that NSO Group is likely to be required to disclose much about its controversial dealings with governments
who have abused the company's intercept tools.
NSO Group has sought to have the case dismissed on the grounds that it should enjoy sovereign immunity.
The Ninth Circuit rejected
that claim, quote, whatever NSO's government customers do with its technology and services
does not render NSO an agency or instrumentality of a foreign state, as Congress has defined that
term. Thus, NSO is not entitled to the protection of foreign sovereign immunity, and that is the end of our
task. End quote. In another case related to the NSO group, Mexican prosecutors have made an arrest
in the course of an investigation of alleged abuse of its Pegasus surveillance software.
The AP reports that Mexican authorities took a businessman, Juan Carlos Garcia Rivera, into custody on November 1.
He's accused in connection with the installation of spyware on a journalist's phone.
The AP quotes a member of the activist group Article 9 as saying that Garcia Rivera is
a technical employee of a private company that was an intermediary for NSO in Mexico That last sentence alludes to allegations of improper use of Pegasus by Mexico's government.
Project has reported that official users of the intercept tools within Mexico's government include the Defense Ministry, the Attorney General's Office, and the National Security
Intelligence Service. President André Manuel López Obrador has said, according to Security Week,
that these agencies no longer place journalists or opposition figures under surveillance
and that the tools are only used against criminals.
Microsoft addressed 55 vulnerabilities in yesterday's Patch Tuesday.
Krebs on Security says that two of the bugs are undergoing active exploitation in the wild.
CISA yesterday released advisories on eight industrial control system vulnerabilities,
along with information on patches and mitigations.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Before the pandemic, many of us had grown accustomed to living in an on-demand world.
Order it today and it will be here tomorrow.
Then COVID hit and everything from toilet paper to automobiles were left in short supply.
The supply chain crisis continues and commentator Carol Terrio wonders where else it may lead. She offers this report. So today I learned that there is an actual degree in supply
chain management or logistics. I'd never really thought about people actually studying it, but of
course it makes total sense. Supply chains are big business. Think about all
the devices in your home or your place of work, all those electronics. They have components from
a whole host of different manufacturers from around the world. These components often run
software from different coding houses or organizations all around the world. And they're
all wrapped up, tied with a bow,
and made into the thing you now have in your home, which perhaps you bought directly from
the manufacturer, but more likely you bought from a distributor or a vendor or secondhand.
It is absolutely dizzying to think about how many people and technologies are involved
in all the little devices we depend on, from key fobs to
headphones to IoT devices. Think about all the logistics involved in getting bits from a dozen
places on time into spec. Now, why are we talking about this? Well, the pandemic is hitting the
supply chain hard, and the impact is already being felt. Some of COVID's hardest hit countries are those that
manufacture key components in these devices we rely upon. According to Bloomberg, the supply
chain crunch that was supposed to only be temporary is now looking like it will carry
on impacting businesses for some time to come. Now, in short, the message is that organizations are not getting
components they need to make their slightly more complex components. Plus, when they are ready to
ship, they can't get access to shipping containers. Oh, and the costs have skyrocketed. Even mighty
Toyota Motor Corporation is affected. The automaker recently warned that it will suspend output at 14 plants across Japan
and slash production by 40% due to supply disruptions, including chip shortages.
And then of course, on the other side of the planet, companies in the UK, for example,
are grappling with record low levels of stock and retail selling prices are rising at the fastest pace since
November 2017. Of course, this is a problem that hits all industries, not just tech. We've got
retail, food, health, you name it, and the logistics will have been hampered by COVID.
But for tech, where all these components need to be regularly tested and checked at every stage
to ensure that there are not vulnerabilities
lurking inside the code or the components, that users are not left wide open to attack due to a
human oversight. These tests that help assure quality and resiliency are important. And with
companies now hit by staff reductions, higher costs, and increased demand, how many are going to be tempted to skimp
on the testing in order to get their component out the door? So the takeaway is this. As a home user,
I'd advise you know what devices are in your home and accessing your networks. Set up a Google alert
for the device name so that you can get an early warning so the device be impacted in a negative way.
And as an organization, be you a manufacturer or distributor or somewhere in between, be as diligent and rigorous on testing as you can.
But also hammer those components in your supply chain because your reputation is built on theirs as well.
The reason is simple.
You're less likely to be caught with your proverbial trousers
around your digital ankles.
That's CyberWire UK correspondent, Carol Theriault.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Josh Ray. He is Managing Director
and Global Cyber Defense Lead at Accenture Security. Josh, always great to have you back on the show.
You know, I know you and your colleagues at Accenture recently collaborated with some
folks from Carbon Black on some security research.
What can you share with me here?
What was the goal of the research?
Yeah, Dave, this is awesome.
I'm really excited about this and this broader partnership we have with VMware.
I'm really excited about this and this broader partnership we have with VMware.
And I think one of the things that we really wanted to do as part of this partnership is address this notion of ransomware kind of head on.
So as you mentioned, we focused on some research that really, I think, is looking at the tactics used by cyber criminals to not only infiltrate but move around a company's network prior to the ransomware deployment. And this is paying very close attention to
this notion of time to ransom like TTR. Well, can you go through some of the highlights for me?
What are some of the key findings here? Yeah. And I think one of the things that
makes this research kind of interesting and unique is that we were able to really leverage multiple collection sources.
So as an example for this research, we looked at a little over about 10 to 15 incident response investigations.
We managed to leverage our dark web collection and monitoring capabilities.
And then we also combined that with the carbon black endpoint telemetry from their carbon black cloud.
So as you can imagine, now we have multiple sources and a very holistic look.
And then we mapped all of our findings against the MITRE ATT&CK framework.
So for instance, a few highlights, and I'll just go through those briefly
because I want to encourage folks to read this more in detail on the blog.
But say for initial access, we really identified that remote access, RDP vulnerabilities was
one of the primary methods for initial access being used by ransomware actors.
And this was, of course, followed very closely by socially engineered phishing emails.
And the emails will obviously contain a concealed dropper, and they'll drive a first stage
download payload.
But these are the tools that really help the threat actor gain access and perform a variety
of different functions.
From an execution standpoint, both the essential security and the TAU from VAWare continue
to observe actors living off the land techniques, but they're also using a lot of these off-the-shelf tools.
A lot of our dark web collection and research has indicated
that some of these operators now are actively recruiting pen testers
because they're very experienced with these commodity tools
like Cobalt Strike Platform.
And then other threat actors are really starting to sell these
and release these cracked versions of COBOL strike, further lowering this notion or this barrier of entry for this tool that's incredibly versatile.
If we look at persistence, we see attackers using PowerShell activity to modify the Windows registry and startup files.
And this is really one of the predominant methods of gaining persistence on the endpoint.
And then, you know, without going too far down
the rabbit hole of MITRE here,
but from a privilege escalation credential access standpoint,
attackers are really using Mimikatz predominantly
to harvest credentials.
And then using the Mimikatz binaries,
which remains really one of the highest detections
related to credential harvesting that Carbon Black has historically observed.
Those are just kind of the highlights from just the report itself.
But there are some positive takeaways here.
What are some of the positive things that we can take from this?
For me, I'm struck by the collaboration here, which I think
is important, but what are some of the highlights for you? Yeah, I mean, collaboration is obviously
key, right? But really what the team found as part of this research is that security practitioners
have the opportunity, there's actually several opportunities to disrupt criminal behavior prior
to the ransomware executing. And that at each stage of the attacker cycle, there's really a
number of different opportunities to detect and remove the threat. So remember, really,
it only takes one solid mitigation to break the criminal's kill chain. And in doing so,
you're driving up that cost and increasing your ability to detect and
respond to these threats more effectively. Is it effective to essentially make yourself
not be the low-hanging fruit? I mean, in the real world, how helpful is that? Just
checking off all those basics, making sure you're not the easy target on the block.
Yeah, I think that speaks to basically becoming a resilient organization, right?
I think if you're able to do all of the things that are necessary from a hygiene standpoint,
but then as you really start to move, again, kind of left of boom and get a little bit
more proactive in your approach and look for specific things to break,
again, break that kill chain of the threat,
you're going to do more to really, I think,
effectively not only drive the resilience,
but lower your overall risk posture.
All right.
Well, the blog is titled Moving Left of the Ransomware Boom.
Josh Ray, thanks for joining us.
Thanks so much, Lee.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.