CyberWire Daily - Cyberespionage in East and Southeast Asia, for both intelligence collection and domestic security, Spyware tools tracked. Shifting cyber targets in Russia’s hybrid war. Securing the Super Bowl.
Episode Date: September 25, 2023The Gelsemium APT is active against a Southeast Asian government. A multi-year campaign against Tibetan, Uighur, and Taiwanese targets. Stealth Falcon's new backdoor. Predator spyware is deployed agai...nst Apple zero-days. An update on Pegasus spyware found in Meduza devices. There’s a shift in Russian cyberespionage targeting. A rumor of cyberwar in occupied Crimea. In our Industry Voices segment, Amit Sinha, CEO of Digicert, describes digital trust for the software supply chain. Our guest is Arctic Wolf’s Ian McShane with insights on the MGM and Caesars ransomware incident. And if you’re looking for a Super Bowl pick, go with an egg-laying animal…and, oh, the NFL and CISA are noodling cyber defense for the big game. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/183 Selected reading. Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government (Unit 42) Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government (IBM X-Force Exchange) Evasive Gelsemium hackers spotted in attack against Asian govt (BleepingComputer) Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government (Unit 42) EvilBamboo Targets Mobile Devices in Multi-year Campaign (Volexity) From Watering Hole to Spyware: EvilBamboo Targets Tibetans, Uyghurs, and Taiwanese (The Hacker News) Stealth Falcon preying over Middle Eastern skies with Deadglyph (We Live Security) t Deadglyph: Covertly preying over Middle Eastern skies (LABScon) New stealthy and modular Deadglyph malware used in govt attacks (BleepingComputer) Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics (The Hacker News) 0-days exploited by commercial surveillance vendor in Egypt (Google). PREDATOR IN THE WIRES: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions (The Citizen Lab) New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware (The Hacker News) Egyptian presidential hopeful targeted by Predator spyware (Washington Post) Russian news outlet in Latvia believes European state behind phone hack (the Guardian) Exclusive: Russian hackers seek war crimes evidence, Ukraine cyber chief says (Reuters). Russian hackers trying to steal evidence of Moscow’s war crimes in Ukraine - cyber chief (Ukrinform). Large-scale cyberattack reported in occupied Crimea (The Kyiv Independent) NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Gelsemium APT is active against a Southeast Asian government.
A multi-year campaign against Tibetan, Uyghur and Taiwanese targets.
Stealth Falcon's new backdoor.
Predator spyware is deployed against Apple Zero Days.
An update on Pegasus spyware found in Meduza devices.
There's a shift in Russian cyber espionage targeting.
A rumor of cyber war in occupied Crimea.
In our Industry Voices segment, Amit Sinha, CEO of DigiCert, describes digital trust for the software supply chain.
Our guest is Arctic Wolf's Ian McShane with insights on the MGM and Caesar's ransomware incidents.
And if you're looking for a Super Bowl pick, go with an egg-laying animal.
I'm Dave Bittner with your CyberWire Intel recent activity that appears to be associated with Beijing.
Palo Alto Network's Unit 42 is tracking an obscure threat actor, Gelsimium, that target a Southeast Asian government.
The campaign featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive IIS servers belonging to a government entity in Southeast Asia. The researchers also note that Gelsemium isn't alone. Three separate clusters of cyber espionage activity have targeted different
governmental entities in the same country, including critical infrastructure, public
health care institutions, public financial administrators, and ministries. Each cluster appears to be the work of distinct
threat actors. In another development, Veloxity describes long-running surveillance campaigns by
the China-aligned Evil Bamboo threat actor against Tibetan, Uyghur, and Taiwanese individuals and
organizations. The researchers note that these groups represent three of the five poisons designated by the Chinese Communist Party.
The threat actor uses back-doored apps to target users of Android and iOS devices.
Biloxity says,
There are often supporting telegram groups used to share the latest version of any given application Evil Bamboo is pushing.
Sometimes these groups are themed around a
specific application, but on other occasions they're themed around a category of applications.
While it may seem unusual to download apps from a source like this, it's not an uncommon practice,
particularly where users may speak languages not commonly supported by the official versions of apps.
ESET says the Stealth Falcon APT, which probably acts on behalf of the United Arab Emirates,
is using a new and very sophisticated backdoor called Dead Glyph to conduct espionage against government entities in the Middle East. Dead Glyph has an unusual architecture, and its backdoor capabilities
are provided by its CNC in the form of additional modules. The researchers add,
notably, Dead Glyph boasts a range of counter-detection mechanisms, including continuous
monitoring of system processes and the implementation of randomized network patterns.
Furthermore, the backdoor is capable of uninstalling itself
to minimize the likelihood of its detection in certain cases.
Last week, researchers at Google and the University of Toronto's Citizen Lab
discovered an actively exploited zero-day exploit chain for iPhones.
The exploit chain was developed by commercial spyware vendor
Intellixa and used by Intellixa subsidiary Citrox's spyware product Predator. Apple issued patches for
the flaws on September 21st. According to Citizen Lab, Predator was used by the Egyptian government
to target Egyptian presidential candidate Ahmed El-Tentawi.
Citizen Lab states, in August and September 2023, El-Tentawi's Vodafone Egypt mobile connection
was persistently selected for targeting via network injection. When El-Tentawi visited
certain websites not using HTTPS, a device installed at the border of Vodafone Egypt's network automatically
redirected him to a malicious website to infect his phone with Cytrox's predator spyware.
In another spyware incident, investigation into a Pegasus infestation at Meduza continues.
The expatriate and dissident Russian news outlet now thinks that a European country
and not Russia was responsible for the monitoring. Suspicion is now directed mostly toward a jittery
Latvian security apparatus. Russia had been the obvious initial suspect, but that conclusion now
seems premature at best and probably false. Yuri Suchihol, head of the State
Service of Special Communications and Information Protection of Ukraine, said Friday in an interview
with Reuters that his organization has seen a distinct shift in the targets selected by Russian
cyber espionage services. At least two of the major intelligence units, the GRU and the FSB, had previously shown a distinct preference for collecting against Ukraine's electrical power infrastructure.
They're now concentrating on Ukraine's law enforcement agencies, and specifically on those units charged with collecting and analyzing evidence of Russian war crimes.
Russian war crimes. Sachiel told Reuters, there's been a change in direction from a focus on energy facilities toward law enforcement institutions, which had previously not been targeted that often.
This shift toward the courts, prosecutors, and law enforcement units shows that hackers are
gathering evidence about Russian war crimes in Ukraine. This may represent the early stages of
an attempt to destroy evidence and otherwise
interfere with investigations, but it's far more likely that it amounts to a form of opposition
research, that the collection is being conducted with an eye to preparing disinformation campaigns
that would be deployed to discredit otherwise credible allegations of war crimes.
The activity is consistent with other recent incidents,
including the compromise of systems at the International Criminal Court.
Around the time a Ukrainian missile strike hit the Black Sea Fleet headquarters in occupied
Sevastopol Friday, Russian sources in Crimea said that the conquered peninsula was under cyber
attack. Oleg Kryakov, spokesman for the local occupation authorities,
said in his Telegram channel,
an unprecedented cyber attack on Crimean internet providers.
We are detecting interruptions in the internet on the peninsula.
All services are working to eliminate the threat.
We apologize for the temporary difficulties.
The Kyiv Independent wrote Friday that Ukrainian authorities had yet to comment.
No further developments were reported over the weekend.
There are rumors of Ukrainian hacktivist auxiliary action
and some complaints by Russian occupation authorities,
but this is still so far a rumor of cyber war.
And finally, do you follow professional football? Did you know that the
Super Bowl has a complex and dynamic attack surface? Turns out, it does. The National Football
League and the U.S. Cybersecurity and Infrastructure Security Agency held a tabletop exercise last week
to explore, assess, and enhance cybersecurity response capabilities, plans, and procedures ahead of the Super Bowl.
CISA stated,
The Super Bowl Cybersecurity Tabletop Exercise is the latest in a series of assessments and exercises
designed to ensure the safety of events at Allegiant Stadium.
This exercise brought together more than 100 partners from the NFL, stadium, and federal, state, and local governments to review and discuss plans and procedures for protecting against, responding to,
and recovering from a significant cyber attack during the nation's most-watched sporting event.
The four-hour exercise also provided an opportunity for participants to identify the available resources,
capabilities, and best practices of their governmental partners
and strengthen their resilience.
NFL Senior VP and CSO Kathy Lanier noted,
At the NFL, we understand how important it is to practice like you play,
and this week's exercise is the first of many simulations we will conduct prior to the Super Bowl.
Our Super Bowl prediction is Ravens versus Eagles,
with the Ravens prevailing,
but then we always pick an ornithological final
for professional sports championships.
When there aren't two birds in the running,
we'll at least go for an oviparous championship.
In the World Series, for example,
we're predicting an Orioles-Diamondbacks contest,
egg-laying animals only, with the Orioles taking the championship in six.
Yeah, yeah, we know, before we get objections from herpetologists,
Diamondbacks carry their eggs internally, but still, eggs, close enough.
Place your bets. Coming up after the break, Amit Sinha, CEO of DigiCert,
describes digital trust for the software supply chain. Our guest is Arctic Wolf's Ian McShane
with insights on the MGM and Caesars ransomware incidents. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io. The SolarWinds incident back in 2020 put a spotlight on the challenges of securing
the software supply chain. Since then, a variety of solutions have been proposed along with products
and platforms to strengthen and simplify the process. My guest today is Amit Sinha, CEO of DigiCert.
In this sponsored Industry Voices segment,
he shares his insights from being on the front lines
of the battle for digital trust for the software supply chain.
If you follow the news, in January this year,
GitHub reported that a whole bunch of encrypted code signing certificates were exfiltrated.
Unfortunately, those certificates were password protected, so the effects were contained.
That was a huge problem.
If you look back earlier, you had issues with code signing keys being compromised at ASus, at Intel, and even Microsoft.
And in the case of Asus, they manufacture drivers.
And unfortunately, they put the code signing keys on web servers that were basically being
used to download those drivers.
Once those web servers were compromised,
the signing keys were stolen and the hackers were able to then
essentially sign malware
with those driver updates, right?
And that was crazy.
So now you have malware-infested drivers
that are fundamental to your operating system
in making sure that your devices are working properly.
Intel was a similar problem.
Code signing keys for their boot guard system got leaked
and, again, led to potentially malicious firmware
during the boot process.
I think recently Mandiant has talked about
how Microsoft's code signing keys were
illicitly obtained by, again, threat actors, and they use that to sign malware pretending to be
Microsoft. Imagine how bad that is. You get a piece of software on your PC and it says,
yep, authentic, signed by Microsoft. It just lets people feel safe when it's not.
So the first problem here is that signing keys need to be protected. And fortunately,
in June this year, standards bodies evolved. And now it's a basic requirement that you cannot issue
code signing keys without a hardware token.
And what a hardware token or an HSM module does is it essentially makes sure that the
private keys cannot be exfiltrated, copied, shared, etc.
So it reduces the attack surface of the types of problems that we talked about.
So that's a good evolution.
So step one, you do need to get code signing keys.
And for that, you need to establish yourself as a software developer. And what
companies like DigiCert do, being a root of trust on the internet, as part of our code signing
process, we validate the organization. We check your credentials. We make sure that you're
legitimate and then offer you your code signing keys, which starting
June this year has to be on our HSN.
Now, more mature organizations will take it a step further.
They'll say, well, not only do we need to protect our code signing keys, I need to do
two other things.
The second thing I need to do is I need to inspect my software
development supply chain. I need to integrate
software trust in the entire CICD pipeline
in the build process itself.
And how do we do all this without creating undue friction for the developers
themselves?
I know you've made the point that they just want to write their code.
They want to do their work.
They don't want to be slowed down by these sorts of things.
Can we protect against that?
Yeah, absolutely.
Look, there is a bit of a trade-off between security and ease of use.
I will share an example.
I mean, we talk a lot about generative AI these days.
And every CEO is out there saying,
hey, what can we do with generative AI? And that puts pressure on the software development community
or their teams.
And they'll go and they'll download
whatever packages are available
without scanning them, without thinking about it.
And that can lead to increased risk.
There have been discussions where some language models and some neural network frameworks
were laced with malware and nobody's really thinking about scanning them.
So sometimes when there is pressure to deliver things,
people take shortcuts and it becomes an easy door
through which threat actors can infiltrate
your software development process.
So back to your question, how do we make it easy?
So you have secure software development without too much friction in the process.
It starts with, again, automation.
If you look at DigiCert's Software Trust Manager solution,
we automate and integrate into your CICD pipeline,
basically your development pipeline.
And all the keys are managed in the cloud, in cloud-secure HSMs.
Once you set up your policies, automation kicks in.
And you can say during these key build processes or these milestones, automatically scan software,
flag anything that looks bad.
And if everything is green,
generate a bill of materials and sign the software.
So from a developer's perspective, it's smooth, it's automated.
And what you're shipping is high quality software
that is tamper-resistant.
And it's almost like if you look at FDA stamping a piece of food as organic, right, with all the contents on it, it just gives a higher level of assurance.
Does it take a little bit of extra work?
Sure.
But as a consumer, you feel better because you can make informed choices.
The same is true for software. I think if you have the right set of tools, you can generate high quality software, stamp your brand on it, and your customers can feel more assured that they have a good product for you.
That's Amit Sinha from DigiCert.
MGM Resorts and Caesars Entertainment in Las Vegas are both recent victims of high-profile breaches of their systems,
with Caesars reportedly negotiating a ransom payment
and MGM claiming to have most of their systems back online,
with a few fits and starts.
Ian McShane is Vice President of Strategy
at Arctic Wolf Networks,
and I checked in with him for insights
on these high-roller hacks.
My brain instantly went to,
oh, I wonder if that's ransomware,
just like any other kind of incident.
A similar thing happened a few weeks ago
when I was flying from London to the US,
and the air traffic control system in the UK went down.
The first thing that came to my mind is,
oh, I wonder if that's ransomware.
And it seems like that's where a lot of people's brains go to
when they see organizations,
certainly high-profile organizations,
having some kind of technical difficulties.
And that seems to have played out here, right?
I mean, at least the,
even if we're only at the point of informed speculation, and I suppose
Caesars has filed an 8K,
I mean, ransomware seems to be where we've landed?
It seems like, and yeah, you're right,
there's a lot of this is just speculation
or at least
educated guesswork on behalf
of people that have been in and around the incident
itself, but yeah, it certainly seems like
it was a ransom-type event.
I don't know whether ransomware was actually deployed to anything. There's been talk of, you know,
some infrastructure being infected with something, but I don't know that that's actually been
confirmed. Certainly not for MGM anyway. I think part of what's been surprising people is at least
the perception with organizations like this, you know, big casinos who are handling millions of dollars a day,
that they would have the resources to have better security than perhaps what we're seeing here.
Is that a fair assessment?
It's important to think about what really happens here.
And, you know, ultimately, it sounds like what it is is some kind of phishing or vishing,
which is an awful portmanteau of voice phishing, I suppose.
And so these kind of social engineering incidents can really happen to any organization.
It's less about technical controls and more about people and process.
Now, that's not to say that people are necessarily to blame.
It's hard to point fingers and say they could have invested more or they didn't invest enough when we don't really know the entire story. And again, it's important to understand that anyone,
any organization or any human being, for that matter,
could be caught out by this type of scam.
Just think about the amount of people that are conned into giving away
or transferring money away on a daily basis,
which again is another kind of social engineering attack.
I suppose it's a reminder that if this can happen
to well-funded organizations like these,
it could happen to anyone. Yeah, exactly. And again, it's a reminder that technology
isn't the be-all and end-all in cybersecurity. There's a lot to be said for the human process,
the human factor in both the defensive side and on the receiving end of the attack itself.
You know, it almost sounds similar to the incident with Uber last year as well.
It's used another type of social engineering, but this time through technology, right, to
gain access.
And ultimately, that one caused a lot of panic across the industry around the use of multi-factor
authentication and how the applets can really be used to annoy someone into doing something
they normally wouldn't do.
What do you suppose is going on at this moment when it comes to incident response?
Well, it's been a week, maybe a little bit longer, 10 days, I guess, as we're recording this.
So at this point, I would have expected a company of that size to have a pretty well-defined
disaster recovery plan, assuming they have contingency plans for when power goes out,
when their systems go down through it, not through a threat to incident, but through
some other kind of problem, I would imagine that they've got well-rehearsed plans to bring things
up and running as fast as possible, certainly for their critical infrastructure. So at this point,
I would imagine that there's probably some law enforcement engagement going on to help understand what happened, how it happened, and whether or not there's an avenue for law enforcement to help with, as well as the internal postmortem of figuring out how do we get everything back to a good state and how do we prevent this from happening again in the future?
You know, it's easy to throw rocks, you know, from the outside and be critical here.
But one of the things that struck me with this incident was the breadth of systems that have been affected here. I'm speaking specifically with MGM.
You know, we hear slot machines have gone down, reservation systems.
There's reports of hotel doors not being accessible and so on.
As we read the tea leaves on that, is it likely that the bad actors were able to get in and then
make lateral movement? Or were maybe more of these systems hosed together in a common way
than perhaps was wise? It's very difficult to say. And of course, Monday night quarterbacking
is very easy for people like us to sit here and do,
and largely unfair, really.
But there's a couple of things.
It could be that they had a flatter network topology
than they could have,
so just one successful intrusion
meant the actor could move laterally to anything.
It could go way more deeper than that.
Maybe the adversaries
were specifically attacking a user account or user credentials that had explicit permissions
across multiple systems, or maybe they hopped between accounts. Maybe the chain of attack is
more complex than, air quotes, just a phishing attack. There's so much unknown about what
happened here. And the impact, like you said, is so broad. It makes this a really interesting incident. And I mean that in the
best possible way possible. And I don't mean to be detrimental to the people that are suffering
through the incident response process themselves. Right. What are some of the lessons you think that
we can take away from this? Well, again, it comes down to it's not just technology. If this truly was, as widely reported, if this truly was a threat to calling up the help desk and walking through some kind of remediation workflow to get access to an account, it's one of those things where you have to think about how do you authenticate the person the Arctic Wolf help desk is really Ian asking for his account credentials to be reset?
Similar in a way to how we talk about business email compromise, which is that scam where someone manages to convince from an internal email account,
convince someone with the authority to transfer money to send a large sum of cash to a bank account outside of normal process.
And so I think there's something to be said for security of normal process. And so, you know, I think there's
something to be said for security awareness, helping people understand what are the risks,
but also, you know, going through the post process and procedure and making sure you're giving
your employees that are tasked with this type of help desk work where you're, you know,
resetting credentials or providing locked out account holders with access to their accounts,
that you're able to, that they're able to actually authenticate the people correctly
and not just, oh, yeah, this is your name, this is your email address,
I'll get that sent over to you straight away.
That's Ian McShane from Arctic Wolf Networks. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
deny approach can keep your company safe and compliant. fee RBC Advantage banking account and we'll give another $100 to a charity of your choice. This great perk and more only at RBC. Visit rbc.com
slash get 100, give 100. Conditions
apply. Ends January 31st, 2025.
Complete offer eligibility criteria
by March 31st, 2025. Choose one of five
eligible charities. Up to $500,000
in total contributions.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment with Jason and Brian on their show.
For a lively discussion of the latest news every week,
you can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders Thank you. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.