CyberWire Daily - Cyberespionage, straight out of Beijing, Teheran, and Moscow. Developments in the criminal underworld. Indictment in a dark web carder case.
Episode Date: May 4, 2023An APT41 subgroup uses new techniques to bypass security products. Iranian cyberespionage group MuddyWater is using Managed Service Provider tools. Wipers reappear in Ukrainian networks. Meta observes... and disrupts the new NodeStealer malware campaign. The City of Dallas is moderately affected by a ransomware attack. My conversation with Karin Voodla, part of the US State Department’s Cyber fellowship program. Lesley Carhart from Dragos shares Real World Stories of Incident Response and Threat Intelligence. And there’s been an indictment and a takedown in a major dark web carder case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/86 Selected reading. Attack on Security Titans: Earth Longzhi Returns With New Tricks (Trend Micro) APT groups muddying the waters for MSPs (ESET) Russian hackers use WinRAR to wipe Ukraine state agency’s data (BleepingComputer) WinRAR as a "cyberweapon". Destructive cyberattack UAC-0165 (probably Sandworm) on the public sector of Ukraine using RoarBat (CERT-UA#6550) (CERT-UA) The malware threat landscape: NodeStealer, DuckTail, and more (Engineering at Meta) Facebook disrupts new NodeStealer information-stealing malware (BleepingComputer) NodeStealer Malware Targets Gmail, Outlook, Facebook Credentials (Decipher) City of Dallas likely targeted in ransomware attack, city official says (Dallas News) Cybercriminal Network Fueling the Global Stolen Credit Card Trade is Dismantled (US Department of Justice) Secret Service, State Department Offer Up To $10 Million Dollar Reward For Information On Wanted International Fugitive (US Secret Service) Police dismantles Try2Check credit card verifier used by dark web markets (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An APT41 subgroup uses new techniques to bypass security products.
Iranian cyber espionage group Muddy Water is using managed service provider tools.
Wipers reappear in Ukrainian networks.
Meta observes and disrupts the new Node Stealer malware campaign.
The city of Dallas is moderately affected by a ransomware attack.
My conversation with Karen Vudla, part of the U.S. State Department's Cyber Fellowship Program.
Leslie Carhart from Dragos
shares real-world stories
of incident response
and threat intelligence.
And there's been an indictment
and a takedown
in a major Dark Web Carter case.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, May 4th, 2023. We begin with a rundown of some developments in cyber espionage.
Researchers at Trend Micro have discovered a new campaign by the Earth Longy subgroup of APT41.
The attacks use a relatively novel technique the researchers call stack rumbling.
Stack rumbling uses image file execution options, typically a denial-of-service method, to disable security products.
The researchers state,
We've noticed that this campaign installs drivers as kernel-level services by using Microsoft Remote Procedure Call instead of using general Windows application
programming interfaces. This is a stealthy way to evade typical API monitoring.
Trend Micro notes that the campaign tends to exploit public-facing applications,
Internet Information Services, and Microsoft Exchange servers. EarthLongy is also using forged Windows Defender binaries
to launch a new variant of CroxLoader and SP Hijacker,
which can disable security products.
EarthLongy has been seen targeting government,
healthcare, technology, and manufacturing organizations
in the Philippines, Thailand, Taiwan, and Fiji.
The researchers assess that Vietnam and Indonesia
are probably the next countries Earth Lungi will target.
ESET has reported a new campaign by Muddy Water,
a cyber espionage group linked to Iran's government.
The group's use of SimpleHelp,
a legitimate managed service provider tool,
was of special interest.
ESET says,
We discovered that when SimpleHelp remote support software was present on a victim's disk,
Muddy Water operators deployed Legolo, a reverse tunnel,
to connect the victim's system to their command and control servers.
While this campaign continues, Muddy Water's use of SimpleHelp has, thus far, successfully obfuscated the Muddy Water CNC servers. While this campaign continues, Muddy Water's use of SimpleHelp has, thus far,
successfully obfuscated the Muddy Water CNC servers. The commands to initiate Legolo from
SimpleHelp have not been captured. ESET reached out to the MSP that owned the tools used,
but so far the timing of the attack and the methods it used to obtain the tool remain unknown.
So far, the timing of the attack and the methods it used to obtain the tool remain unknown.
ESET writes, MSPs require both trusted network connectivity and privileged access to customer systems in order to provide services.
This means they accumulate risk and responsibility for large numbers of clients.
Importantly, clients can also inherit risks from their chosen MSP's activity and environment.
CERT-UA warns that the threat group UAC-0165, almost certainly Russian and probably the GRU's sandworm, has deployed ROARBAT wipers against networks in Ukraine.
They state,
They state, it has been found that the performance of electronic computing machines,
such as server equipment, automated user workplaces, and data storage systems, was impaired as a result of destructive influence carried out using the appropriate software.
The nominally hacktivist group Cyber Army of Russia Reborn in January of this year
claimed a similar attack against the Ucranform news service.
CERT-UA points out that organizations can take measures to protect themselves against
ROARBAT.
CERT-UA states,
Please note that the successful implementation of the attack was facilitated by the lack
of multi-factor authentication when making remote VPN connections, the lack of network
segmentation and filtering of incoming, outgoing,
and inter-segment information flows.
Meta yesterday detailed a new malware campaign
that targets social media accounts by advertising chat GPT services.
NodeStealer, first identified in January,
has been targeting several platforms, including Dropbox, Google Drive, Mega, Mediafire, Discord, Atlassian's Trello, Microsoft OneDrive, and iCloud in addition to meta platforms.
Meta claims to have blocked over 1,000 unique chat GPT-themed malicious URLs on its platform.
They write, these actions led to a successful disruption of
the malware. We have not observed any new samples of malware in the NodeStealer family since
February 27th of this year and continue monitoring for any potential future activity. NodeStealer
favors disguising its malware, which arrives as an executable, as Microsoft Office files or PDFs, both very commonly used formats.
Meta explains that when executed, the malware first establishes persistence to ensure that it continues to operate after the victim restarts the machine.
The malware uses the auto-launch module on Node.js to do so.
uses the auto-launch module on Node.js to do so.
The malware is designed to steal browser data like passwords and cookies, and it works against users of Chrome, Opera, Microsoft Edge, and Brave browsers.
Meta has also shared indicators of compromise
and other information about NodeStealer's operation
to promote a stronger collective defense.
The city of Dallas has
reported that it was affected by a ransomware attack yesterday. The effects seem to be limited,
amounting to a nuisance. The city says less than 200 of the city's thousands of devices are impacted,
but if any city device is at risk, it will be quarantined and blocked by IT services.
The Dallas Police Department has
experienced a disruption of its computer network that's requiring 911 dispatchers to take notes
and pass the information directly to police officers. The city courts were forced to close
yesterday and today. A ransom note researcher Brett Callow obtained and tweeted indicates that the attack may have been carried out by the Royal Ransomware Group.
U.S., Austrian, and German authorities have taken down the Try2Check service, a dark web platform on which criminals could run checks on the validity of stolen credit cards.
Bleeping Computer writes that Try2Check is believed to have been in operation since 2005.
The C2C platform's operator, Russian citizen Denis Gennadyevich Kulkov, was also indicted in the U.S.
on charges related to access device fraud, computer intrusion, and money laundering.
Mr. Kulkov is presently living, if not exactly living it up, in Russia,
and so is out of reach of U.S. law enforcement,
but the feds will be watching for him to slip up and leave his relatively safe life in Russia for more appealing precincts.
The U.S. Secret Service and State Department have announced a $10 million reward
under the Transnational Organized Crime Rewards Program for information
leading to his apprehension. It's World Password Day. Talk among yourselves about all the obituaries
and validictions being pronounced on the password as such. But more importantly, may the fourth be with you. And don't get cocky, kid. Do or do not.
There is no try.
And finally, our CyberWire associate producer Liz Ervin was with us for the first time at the RSA conference this year.
And she shared her mic with conference goers walking the show floor.
She files this report.
We're here in the beautiful San Francisco at the RSA conference for 2023.
My name is Liz Ervin, and this is my woman on the street, walk and talk with cyber professionals
around the world. So starting off, have you ever been to RSA before? First time at RSA. This is my
first time at RSA. The company's been here, was here last year, but this is my first time here.
So what are you finding that you liked so far and how is it going? First of all I was really impressed by the marketing effort of everyone. I love the possibility to
interact with other technology vendors so it's a really good way to let's say interact and meet
the people you are not used to work with or not used to exchange with? I thought it was going to be overwhelming in as much as it's very busy.
It's actually very comfortable.
I like the atmosphere.
I'm learning a lot about, not so much from a competitive basis,
but those around that we can work with for better symbiosis as well.
It's honestly inspiring.
It's kind of gotten me out of an academic rut,
thinking more about how I see myself in the cyber world in the future.
The theme this year
is called Stronger Together. What do you think and how do you feel about that theme for this year?
I can definitely see the theme of Stronger Together kind of ringing off of every room
in this conference too. And I think more than that, the strategy within cyber and the vision
that people have is definitely a whole of society approach.
There's a real recognition that everyone here has something to bring to the table.
I definitely think that that is a theme that's really important and a theme that I've been
seeing a lot, not just only in the US, but also in the UK.
I think it's so important, no matter if you're a competitor or if you're part of the same
team, it's always so important to do knowledge sharing because that's how we grow.
And ultimately, we also just need to protect.
Fundamentally, cybersecurity is a team sport.
And we are stronger together.
To use an old systems engineering adage,
the whole is truly greater than the sum of its parts.
So last question, do you know what RSA stands for?
Absolutely not.
I don't.
That's so bad.
stands for? Absolutely not. I don't. That's so bad. I know that it's the last three letters of the three founders of the company, of the trade show. RSA is, I believe, an acronym for, I don't
know how to pronounce all three names, but there are three individuals that started crypto algorithm,
I believe, in the 70s. And now it's pretty much just RSA.
No idea what their last names are, though.
It stands for three last names that I cannot pronounce.
Okay, I gotcha.
That's Liz Ervin, our N2K Network's associate producer,
reporting from the show floor of last week's RSA conference in San Francisco.
Coming up after the break,
my conversation with Karen Vudla,
part of the U.S. State Department's Cyber Fellowship Program.
Leslie Carhart from Dragos
shares real-world stories
of incident response
and threat intelligence.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Leslie Carhart is Director of Incident Response at Dragos,
and it is my pleasure to welcome them to the show.
Leslie, great to see you again.
Show going well for you so far here at our RSA conference?
It's going fantastic.
I've done the hard part of giving my talk, so now it's easy from here. Well, let's talk about that. You were part of a keynote panel this morning. Can you share some insights? What was that all about?
It was on incident response and it was a rock star panel. I was very privileged to be a part
of with Wendy Whitmore and Katie Nichols and Lily Newman, just a phenomenal group of people talking about incident response
and what's going on in that space
and what's in the store for the future in that space.
Can you share with us some of the highlights?
What were some of the insights that the group shared?
So we talked a lot about the evolution of threats
and how ransomware attacks and criminal actors are changing their tactics,
as well as what state actors are
up to these days. But we also talked a lot about the challenges that we face in incident response
as a profession. So that's everything from mental health and burnout to hiring pipelines. It's very
challenging to get new people into the field. And also things like planning for incident response
and how to share information and how to make hard risk decisions about what to do in incidents.
So it was a wide array of important topics that are challenging, it depends kind of questions.
Yeah, I'm really interested as a leader in that space, when you're looking to bring people onto your team, what are the personality elements that make for a good incident responder?
You have to have a couple different important skill sets. So first of all, you have to be a
good investigator. That doesn't necessarily mean you have to have all the technical skills right
away, but you have to have a good investigative methodology and mindset. So you need to be able to
understand the scientific method for building a hypothesis and trying to disprove it and
understand that you have to have evidence before you jump to conclusions and corroborating evidence.
So we talked a lot about skepticism. So it's important to be skeptical about incident response
and what's potentially happening in an environment. A lot of us come into environments where everybody's
panicking and we have to do a
lot of crisis management. So that becomes a second important skill set for incident responders. We
also have to be very good at being the common voice in the room. We equated it to being a
therapist or being a parent. You have to exude confidence and calm in a situation where everybody's
upset. So you have to be able to do both of those things. But in
terms of investigative mindset, you have to understand that you can't jump to conclusions.
Everything that you are finding has to be corroborated. And sometimes you're trying to
disprove something instead of prove it. Everybody else is certain that the crisis is being caused
by a particular state or it's cyber caused at all. And you're coming in saying, well, let's get some evidence.
And what if it isn't?
Let's try to disprove that actually being what happened.
That's how you do good science and good investigation.
So you have to have both of those skill sets, which is a challenging combination sometimes.
Is diplomacy a part of it too?
Interactions with the folks?
You're the outsider coming in, right?
I sometimes call my job marriage counseling, in fact.
I love that.
And that's especially applicable to industrial incident response,
which is a different beast in a lot of different ways.
But in industrial incident response,
we have even more personality management.
We often have the engineers and the operators
who do the important process work.
They are the bread and butter of their organization.
And then you have a cybersecurity team as well
who's doing important work to protect that process space,
but they speak a different language
and they step on each other's toes.
Sometimes there's been a decade or two decades
of hostile relationship between those groups,
between IT people not understanding the
process and not understanding that they can't just bring systems down to patch them. That's
problematic for safety reasons, for life and safety reasons. And those miscommunications over
time have built this animosity where sometimes our team just has to come in and sit at a table
for them to have a conversation. We just have to sit there. We don't have to say a lot.
You know, we come with some donuts and we sit at the middle of the table and then they'll finally talk to one another, which they haven't done in years.
But yeah, incident response is a lot of that.
There's a lot of personality management.
You have a lot of people in authority who are panicking and trying to, they might perceive that they've done something wrong, even though incidents can happen to absolutely any organization.
But there's a lot of blame and passing blame during incidents oftentimes.
And there's a lot of people trying to protect themselves and their careers.
Everybody's stressed out.
It's a big crisis.
It's the worst day for an organization.
So a lot of what we do is try to calm people down and, again, be that authoritative, calm voice in the room.
Try to calm people down and again be that authoritative calm voice in the room.
As you walk around the show floor here at the RSA conference, what are you seeing in terms of trends in your specific industry, industrial control systems?
Are there any patterns you're seeing among the providers there?
The interesting thing to me at RSA every year is seeing what the flavor of the year is. Everybody's kind of coming in with
similar products every year. They're still selling their services or their products and they do
important things, but they frame their advertising and their marketing materials around whatever
people are kind of worried about, the collective subconscious for the year. And that's fascinating
to me because it's not just the collective subconscious of technical practitioners like me, but also like executives. What are they
worried about? You'll see that reflected across the floor at RSA in terms of marketing and branding
and how people are selling the same things that they sell every year. But this year,
they're concerned about specific things. So on the floor this year, you see like a lot of chat GPT.
You see a lot of SBOM. SBOM is very relevant to industrial cybersecurity,
so I'm really happy to see that discussed.
Of course, the foundations and fundamentals
are still very, very challenging for industrial operators.
And is there more attention being brought to that at RSA?
Not necessarily, because the fundamentals
like asset management and basic
security monitoring, they aren't as cool and fun to flashy advertise for at RSA, definitely,
but they're still very, very important. But all the things that people are concerned about every
year tend to be real issues that matter for cybersecurity. Last year, we saw a lot of discussion of zero trust.
Everybody was everybody's booth.
No matter what they were selling,
they all talked about zero trust.
Year before that, it was MITRE ATT&CK.
And those are all important things
that are important elements of cybersecurity.
It's just interesting to me
seeing what people are concerned about
and what they're talking about at RSA every year.
Yeah, absolutely.
Well, Leslie Carhart is Director of Incident Response at Dragos.
Thank you so much for joining us.
An absolute pleasure. Thank you so much.
Karen Vudla is Advisor for Digital Affairs at the Ministry of Foreign Affairs of Estonia.
At last week's RSA conference, I spoke with her about her participation in the U.S. State Department's Global Emerging Leaders in International Cyberspace Security Fellowship.
It was something that was facilitated
by the embassies across the globe.
And I was approached by the,
or actually our MFA was approached
by the U.S. Embassy in Tallinn.
When it was time to set up the candidates,
my boss came to me asking like,
this sounds like a great program.
Would you be interested?
And I was like, absolutely.
You know, it seems something that it can be a great opportunity
to meet people across the globe,
to get more insights of the whole cybersecurity space
that we're dealing with.
So I just thought it's a great opportunity.
Of course, I didn't hear back for like months and months.
So I was trying to figure out like, was I elected?
What's the case where's the
you know where are we standing right now and then eventually when um Brian uh from our um US embassy
then so greetings to Brian uh reached out to me he was like congratulations you're chosen and then
you know the excitement got real and I was really trying to figure out what's waiting for me ahead.
Sure. Well, what were your responsibilities back home in Estonia?
Well, it's actually interesting because last year our MFA went through a reform
structuring the MFA. So before I was actually dealing with digital affairs
under the trade department.
And then now it was merged with cyber diplomacy.
So for a year, almost, we've been the digital and cyber diplomacy department.
So my duties have also changed a bit over time.
But right now, I'm really focusing on international digital policy.
So it's a lot to do with the UN, the discussions on the global scale.
Of course, we have some of our own projects globally
by Estonia, which I'm also a part of.
Then again, it's the EU that we're a member of.
So some of the work in the EU,
and of course, on a national level,
because we have to participate
in our national policymaking matters.
So it's actually, it's outwards, but it's also like inside of Estonia.
And so what have the opportunities been through this fellowship?
What are some of the things that you've been able to experience?
Well, today it's Wednesday, I guess. I'm still a bit jet lag, right?
it's Wednesday I guess I'm still a bit jet lag right it's been like it's 10 hours the time difference between here in San Francisco and in Estonia but like so far the program has been great
and I think it has been great since the evening I arrived you know we had a nice dinner together
everyone tired but you already go interact you know, you realize the people have come across the globe.
Literally, we have people from all kinds of continents.
And then, so I would say the interactions are definitely one of the main things.
Then again, we met the ambassador for cyber and digital space, Nathaniel Thick, on Monday.
Then we have been at the RSA conference on Monday
and then full day today.
We also heard more about the ransomware task force
just before coming here.
Yesterday, we visited the Google headquarters
and heard about their activities in terms of the cybersecurity.
And then we visited the Stanford University.
And I think a part of the program here is that you have the opportunity to interact
with other fellows from different parts of the world.
That has to be an enriching experience in its own.
Oh, absolutely.
I think that was why I was mentioning this as the first thing, right?
Oh, absolutely. I think that was why I was mentioning this as the first thing, right?
You come here, even though in my job you go and interact with diplomats inside of your working groups,
you know, the work of line that I do. But then you come here and you realize how people's personal perceptions are also a bit different maybe from the States, right?
so a bit different maybe from the States, right?
So it's literally just a lot of conversations that really like open your eyes more
in terms of what I do.
But again, like the cultural differences,
I think these enrich our whole fellowship group a lot.
And I think Linda from the State Department
who's bossing around us here a bit,
she's been telling that it really is a good group
that's been put together, and I really second on that.
What are you looking forward to over the time
that you're going to be able to experience this,
and what are you hoping to bring back home from the experience?
I, on purpose, didn't want to set any expectations for myself,
you know, just to kind of go to the fellowship, see how it develops,
get just the most out of it I can.
And I'm really thankful for the State Department for the program
that they have put together, because really hearing who have they managed
to squeeze into the agenda, knowing these people are really busy every day
and they're really experts in their field.
I think it will give us a lot of new information.
Of course, I'm really interested to hear more
about the US and its national initiatives
and how their policymaking
and of course the whole structure is,
because the federal system compared to the country I come from,
it's very different.
And it's really interesting to actually hear
how other countries operate and what they do.
Our thanks to Karen Wudla from the Ministry of Foreign Affairs of Estonia
for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is
Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.