CyberWire Daily - Cyberespionage prospects telecom companies: Operation Diànxùn. Working against exploitation of Exchange Server. And rerouting SMS messages (it cost only $16).
Episode Date: March 16, 2021McAfee describes Operation Diànxùn, a probable Chinese collection effort directed against telecoms and 5G technology. Organizations around the world continue to work to thwart exploitation of Exchan...ge Server vulnerabilities. What’s a webshell, and what can it do? Ben Yelin looks at cell phone data gathered from the US Capitol riot. Our guest is Ross Rustici from ZeroFOX on the evolution of ransomware. And how much does it cost to redirect all your SMS messages to some goon? Said goon needs only sixteen bucks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/50 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
McAfee describes Operation Dinshin,
a probable Chinese collection effort directed against telecoms and 5G technology.
Organizations around the world continue to work to thwart exploitation of exchange server vulnerabilities.
What's a web shell and what can it do?
Ben Yellen looks at cell phone data gathered from the U.S. Capitol riot.
Our guest is Ross Rastiti from ZeroFox on the evolution of ransomware.
And how much does it cost to redirect all your SMS messages to some goon?
Turns out, only 16 bucks.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 16th, 2021.
McAfee's Advanced Threat Research Strategic Intelligence team late this morning released its research into a threat actor
they found operating against telecommunications targets,
specifically against individuals working in that industry.
McAfee is calling the campaign Operation Dinshin
after the Mandarin word for telecommunication, appropriately enough.
Their work includes a technical analysis of the campaign's tactics, techniques, and procedures,
which show some signs of overlapping TTPs used by both Red Delta and Mustang Panda,
groups that have generally been associated with Chinese intelligence services.
It's not clear exactly how victims have been infected,
but McAfee believes with moderate confidence that they were lured in some fashion
to a domain under the control of the threat group,
where malware was installed in their devices with a view to further exploitation.
The malicious domain was designed to look like a career site for Huawei.
The individuals the campaign sought to lure were mostly in Southeast Asia, Europe, and the U.S.,
and the threat actors appeared to be interested in German, Vietnamese, and Indian telecom companies.
The motive, McAfee thinks, was probably to collect against proposed bans of Chinese equipment from the global 5G rollout
and also to steal sensitive or secret information in relation to 5G technology.
McAfee has also offered some advice on threat hunting
and other ways of increasing an organization's defenses against campaigns like Operation Dinshin.
The operations of that other Chinese-run threat group, Hafnium, remains, of course, in the news.
Its cyber espionage campaign,
exploiting now-patched exchange server Zero Days, morphed in late February into multiple campaigns
conducted by both state-directed and criminal threat actors. France 24's account of the incident
bears out their headline, it's turning into a global crisis. Criminal interest in exploiting unpatched
exchange servers continues unabated. Security firm Checkpoint says that it's observed attacks
increased by an order of magnitude just over the past week, from 700 on March 11th all the way up
to 7,200 just yesterday on March 15th. Quote, The country most attacked has been the United States,
with 17% of all exploit attempts,
followed by Germany, 6%,
the United Kingdom, 5%,
the Netherlands, 5%,
and Russia, 4%,
checkpoint researchers say.
The most targeted industry sector
has been government and military,
with 23% of all exploit attempts,
followed by manufacturing,
banking and financial services, software vendors, and healthcare. Exploitation of exchange server also offers considerable opportunity for fraud and a more plausible kind of fraud than one sees
in crudely executed phishing expeditions. The social engineering experts at KnowBefore have seen a corresponding rise in account impersonation attempts.
Quote,
Account impersonation is incredibly dangerous because the recipient of the email believes
that they are speaking to the trusted party via email,
so they are much more likely to click on a malicious link or open an infected email attachment.
Ransomware is another one of
the potential cybersecurity problems that threaten the operational capabilities of businesses that
have not patched their systems yet due to this exploit. For any organization using Microsoft
Exchange servers, it is recommended to patch immediately." The U.S. Cybersecurity and
Infrastructure Security Agency has updated its advice on dealing with Microsoft Exchange server exploitation
to include notes on China chopper web shells being used against victims.
The U.K.'s National Cybersecurity Center, like its counterparts in the U.S., Germany, and elsewhere,
has urged all organizations, both public and private, to apply Microsoft's patches
as soon as possible. They also recommend that all organizations look for signs of compromise
by threat actors, whether Chinese intelligence services or criminal gangs. To return to CISA's
advice, the agency stresses that its most recent list of seven China chopper web shells isn't necessarily exhaustive.
They also have a useful summary of what a web shell is and what it can do.
CISA explains, quote,
A web shell is a script that can be uploaded to a compromised Microsoft Exchange server
to enable remote administration of the machine.
Threat actors use them to harvest and exfiltrate sensitive data and credentials,
to upload additional malware for the potential of creating, for example, a watering hole for
infection and scanning of further victims, to use as a relay point to issue commands to hosts
inside the network without direct internet access, and to use as command and control infrastructure,
potentially in the form of a bot in a botnet or in support of compromises to additional external networks.
This could occur if the adversary intends to maintain long-term persistence.
Patching Exchange Server is obviously necessary, albeit not sufficient, to protect against the ongoing attacks.
necessary, albeit not sufficient, to protect against the ongoing attacks. Microsoft itself has continued to update its guidance on protecting on-premise Exchange servers from attacks.
Just yesterday, the Microsoft Security Response Center released a new one-click mitigation tool
to help users secure both current and out-of-support versions of Exchange server.
The tool will be of particular use to smaller organizations
that may lack a dedicated security team. Vice has a disturbing first-person account of how
an SMS marketing tool by Sakari can be accused to redirect messages to a third party. It's not
an exotic hack. All the bad actors would need to do is sign up for the service. It's only 16
bucks, a bargain as these things go. Falsely claim to be the owner of your number and then have your
messages redirected to a number under their control. It's not that Sakari is deliberately
marketing to criminals, but rather to judge from Vice's account that the method of verifying that
the number you want to have forwarded is in fact a number that belongs to you.
Too close to the honor system, and as you all know, there's no honor among thieves.
And of course, you don't need to be a technical sophisticate to be a successful cyber crook.
Thank you. agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
cloak.io.
Ross Rustese is Global Head of Security Architecture and Threat Intelligence at ZeroFox.
He joins us with an update on what he and his team have been tracing in terms of the evolution of ransomware. So ransomware is one of these unique attributes of the criminal underground
where you've seen several evolutions over the last really five years or so. And really what was
noteworthy in 2020 and coming into this year in 2021 is really the cat and mouse game that we're
seeing between security professionals and the operators of ransomware.
It's not necessarily that the malware itself is getting more sophisticated or we're seeing radical changes in what they're doing or how they're doing it in terms of the technical implementation. model is changing as more and more companies are getting better about having backups, being able to
basically recover from the initial intrusion without necessarily paying the ransomware
operators. They're looking for new monetization ways. And so they've started doing a much broader
exfiltration of data and trying to hold that data hostage with the threat of public
exposure and doxing rather than just the traditional model that we had seen for the
longest time where they would encrypt the files and hope denial of access was enough to get that
monetization aspect. And where do we stand when it comes to whether or not folks are actually paying the ransoms these days? That is a complicated
question to get good statistics on. The general impression, I think, of a lot of defenders is
more often than not, you will see companies pay the ransom. And that's because of the fact that
it's simply cheaper to do so than to go
through the expense of rebuilding the network, especially if you don't have secure backups.
I think what we saw in the 2019, early 2020 phase of things is more and more companies
were moving towards secure backups, getting better at some of your traditional defenses,
and thus reducing that payout.
And that's why you saw the reaction from the ransomware authors.
And now that they've created this new wrinkle in the operation, it's forcing companies to
make that hard choice again.
And you're seeing them go back to paying the ransom because, again, it's easier and it
reduces their overall exposure.
Yeah, you know, we mentioned at the outset that there's kind of been these waves of evolution
in this.
Does it seem like we're kind of in an equilibrium state right now where it's hard to imagine,
you know, what the next wave is going to be if changes are on the horizon or indeed, you
know, the malware operators see a necessity to make any changes?
Yeah, I think right now the move is really with the network defenders.
We got really good at trying to foil the traditional ransomware operation, make the availability of data not as painful for the corporation, and as such, not pay as often.
We saw the ransomware move to that. It was the doxing. It was exfiltrating data. It was causing
pain in a different way. Now it's really up to us as defenders to figure out how you minimize that.
And I think we're going to see kind of another year cycle here, where 2021, you're still going
to see a lot of dogs saying the security
community is going to finally come up with a response and start slowing down the amount of
payments. And then it's going to take another four to six months for the ransomware operators to find
the next new thing for everybody to gravitate to. That's Ross Rustese from ZeroFox. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security, also my co-host on the Caveat podcast. Ben, great to have you back. Good to be with you, Dave.
So you and I have been following with great interest the ongoing developments with the
fallout from the January 6th insurrection at the U.S. Capitol building. And an article came by here
that you actually brought to my attention about the FBI and their confidence in some of the cell tower dumps that they've gotten.
Bring us up to date here.
What's on your radar?
So this is from the website EmptyWheel.net, which is run by Marcy Wheeler, a prominent independent journalist who covers surveillance, privacy, security topics.
surveillance, privacy, security topics.
And she wrote a piece on how the FBI must have confidence in the granularity of their Capitol cell tower dumps.
And what she did is she went through the affidavits
of three individuals who have been arrested
in connection with the insurrection
and how cell location information obtained from data dumps
and from geofencing has helped lead to the prosecution
of these individuals. So in the first case she discusses, some of the rest of the evidence seems
rather inconclusive and a little bit flimsy. This person posted on social media, but when they
posted on social media, they were outside the Capitol, which is not illegal at that point.
You could be outside the Capitol without breaking the law. And there was kind of a blurry picture that seemed to maybe
show this person inside the Capitol, but might not have been convincing to a judge or a jury.
So they're relying on this data dump from AT&T, which asserts that this person's cell phone pings one of the AT&T cell phone towers
or whatever they were using inside the U.S. Capitol.
And there are a couple of other cases that they follow,
including one case dealing with a prominent member of the Oath Keepers,
which is a militant group with associates potentially high up in the Trump world,
the Trump administration.
And they're relying on these data dumps in that case, too.
And in that case, it really matters, because if you're not able to secure a prosecution of this individual,
you're potentially not going to be able to get this person to flip on the higher-ups.
So in one of these cases, they had just a really interesting map showing how this actually works in practice.
So this is actually for a third criminal defendant. they had just a really interesting map showing how this actually works in practice.
So this is actually for a third criminal defendant.
They found his Gmail by looking at his Instagram account,
which he put his Gmail on his Instagram account.
First mistake.
And through Gmail, they were able to obtain data from Google, who did its own geofencing data dump on the day of the insurrection.
And what Google says is they have these little radii of, you know, at each individual location, depending on your proximity to a cell phone tower, how much of a radius they can be confident that you as an individual are in.
And if you look at the diagram they drew, they have three circles based on the pinged locations
of this device. Most of those three circles, the vast majority of them fall inside that Capitol
building. But a small portion of one of the circles falls outside the Capitol building,
which if I'm a defense attorney,
that would be a nice way to show that there might be reasonable doubt in this case.
My client was merely peering inside the windows from the outside.
Yeah, exactly. He just wanted to see what was going on.
Right, right, sure.
What's also interesting is Google says that these radii themselves
are only about 68% accurate.
So if I'm a defense attorney, I'm running with that.
I put the Google representative on the stand and say,
well, how accurate are these representations?
Are these projected radii?
And if they say 68%, I'm looking straight at the jury and saying,
68% seems to me to fall short of that threshold where you're beyond a reasonable doubt.
So just really interesting how the FBI is relying
on these data dumps and geofencing.
But when you have this really key distinction here
between being outdoors, which is legal,
and being indoors, which is illegal,
the importance of granularity really comes into focus.
indoors, which is illegal, the importance of granularity really comes into focus.
Yeah. I just put on my RF nerd hat for a bit, something in a former life that I had some familiarity with. And by the way, we get into detail in this case over on the Caveat podcast. So
if you want more coverage of that, do check that out. But one of the interesting things that's brought up in this article and in the comments as well is how it is important what the Capitol building is made
out of, that it is made out of thick stone and it has a metal roof. And all of those things are
unfriendly to the radio frequencies that are used for cellular communications.
And what that leads to is a conclusion that it is highly likely
that there are cell towers, cell access points within the building itself
because it's hard to get signals into the building
and it's hard to get signals out of the building.
So that would increase the accuracy as
well if it is in fact the case, and these folks seem to think it highly likely, that there are
these very small beacon points for cellular communications within the Capitol itself,
which is another fascinating point that sort of plays against the folks who might be trying to
keep their locations or identities anonymized.
And as you pointed out over on Caveat, a big part of the Capitol building is underground.
Absolutely. So you're not going to be getting reliable cell phone service there,
so you have to put in those access points.
There are basements and sub-basements in that building,
if you've ever ridden the elevators there, as I have.
So, yeah, I mean, the infrastructure is there.
Obviously, it was put there not to detect insurrectionists,
but that happens to be a side benefit of it.
Right, right.
No, it's a fascinating story.
Again, it's over on emptywheel.net.
It's titled,
FBI Seems Confident in the Granularity of Their Capital Cell Tower Dumps.
More on this topic over on the Caveat podcast.
We hope you'll check that out.
Ben Yellen, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Best eaten in town, up and down, and all around.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Kirill Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. practical, and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.