CyberWire Daily - Cyberespionage tradecraft, including shopping in the C2C market. Seeking satcom resilience. Sanctions against disinformation. A quick look at current OT threats.
Episode Date: August 1, 2023C2-as-a-service with APTs as the customers. Cyberespionage activity by Indian APTs. Gamers under attack. StarLink limits Ukrainian access to its systems. The EU levies new sanctions against “digital... information manipulation.” Ukraine's Security Service takes down money-laundering exchanges. Ben Yelin unpacks fediverse security risks. Our guests are Mike Marty, CEO of The Retired Investigators Guild, & Tom Brennan, executive director of CREST, discussing their efforts on cybercrime investigation and cold case resolution. And Nozomi's OT IoT security report, sees a lot of opportunistic, low-grade whacking at industrial organizations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/145 Selected reading. Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps) (Halcyon) APT Bahamut Targets Individuals with Android Malware Using Spear Messaging - CYFIRMA (CYFIRMA) Hackers steal Signal, WhatsApp user data with fake Android chat app (BleepingComputer) Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor (The Hacker News) Hackers exploit BleedingPipe RCE to target Minecraft servers, players (BleepingComputer) Call of Duty Self-Spreading Worm Takes Aim at Player Lobbies (Dark Reading) Call of Duty worm malware used to hack players exploits years-old bug (TechCrunch) Elon Musk 'refuses to turn on Starlink' for Crimea drone attack (The Telegraph) How Elon Musk Was Able to Exert Control in Ukraine War (The Street) EU strikes Russia again as digital infowar rages on (Cybernews) Ukraine Cracks Down on Illicit Financing Network (Gov Info Security) Unpacking the OT & IoT Threat Landscape with Unique Telemetry Data (Nozomi Networks) China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
C2 as a service and APTs as the customers.
Cyber espionage activity by Indian APTs.
Gamers under attack.
Starlink limits Ukrainian access to its systems.
The EU levies new sanctions against digital information manipulation.
Ukraine's security service takes down money laundering exchanges.
Ben Yellen unpacks Fediverse security risks.
Our guests are Mike Marty, CEO of the Retired Investigators Guild,
and Tom Brennan, Executive Director of Crest,
discussing their efforts on cybercrime investigation and cold case resolution.
And Nozomi's OT-IoT security report sees a lot of opportunistic,
low-grade whacking at industrial organizations.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, August 1, 2023.
Researchers at Halcyon have published a comprehensive report delving into the world of command and control providers used by ransomware gangs.
In their study, they shine a spotlight on the CloudZ virtual private service provider,
which they label as a common service provider supporting ransomware attacks
and other cybercriminal endeavors.
While CloudZ is incorporated in the United States,
the researchers have strong indications that the company almost certainly operates out of Tehran, Iran,
raising concerns about potential violations of U.S. sanctions.
The researchers' findings reveal that threat actors extensively exploit CloudZ,
with notable associations to APT groups tied to various nation-states.
These groups hail from China, Iran, North Korea, Russia, India, Pakistan, and Vietnam,
indicating a global network of cyber adversaries.
Moreover, the roster includes a sanctioned Israeli spyware vendor notorious for targeting civilians.
Additionally, the report highlights several criminal syndicates
and ransomware affiliates whose activities have captured international headlines.
Another noteworthy revelation from the cybersecurity domain involves Indian APTs
conducting cyber espionage campaigns. According to CyPharma researchers, these APTs are employing a deceptive app called SafeChat
to surreptitiously install spyware on targeted Android devices.
The spyware payload bears similarity to an Android version of CoverLM malware,
capable of capturing call logs, texts, and geolocation data.
The targets of these campaigns appear to be concentrated in South Asia,
particularly Pakistan.
While some observers initially attributed these activities to mercenaries,
CIFIRMA's report contradicts such claims,
asserting that it is in fact an Indian APT group
acting on behalf of a particular nation-state government.
The report elucidates several reasons supporting this conclusion,
but refrains from disclosing the specific target location due to sensitivity and security concerns.
The Hacker News reports that another group known as Patchwork is believed to have ties
to Indian operators. This group is deploying the iShell backdoor to conduct attacks against Chinese universities and research institutes
with overlapping techniques observed in targeting entities in Pakistan.
Notably, Sidewinder and DoNotTeam, both previously linked to India, show similarities in their modus operandi.
Bleeping Computer reports that cyber attackers are capitalizing on the bleeding pipe remote code execution vulnerability that affects numerous Minecraft mods running on Forge.
The exploit grants attackers full remote code execution capabilities on clients and servers utilizing popular Minecraft mods.
The vulnerability resides in the unsafe deserialization code of certain mods rather than Forge itself.
Incidents of the bleeding pipe exploit have already been identified on unsuspecting servers,
raising concerns about potential malware spreading to infect connecting clients.
The gaming world faces another security breach.
TechCrunch reports that hackers are spreading a worm through a vulnerability that affects the 2009 version of Call of Duty Modern Warfare 2.
Remarkably, security researcher Maurice Hoyman discovered and reported the bug to Activision in
2018, but the company never issued a patch to address the flaw. This simple buffer overflow
vulnerability with limited restrictions
enables attackers to write a full-fledged exploit with ease.
While the gaming incidents themselves may not significantly impact gamers,
they serve as alarming entry points that could lead to wider network breaches.
On the geopolitical front, Starlink, the communication infrastructure project
led by Elon Musk,
has come under scrutiny for selectively limiting Ukrainian military access to its systems.
The Telegraph reports that a planned attack involving surface drone boats against Russian naval units in the Black Sea
was cancelled when Starlink withdrew the necessary connectivity for the operation.
Musk's stance reflects his reluctance to have his system support long-range offensive operations.
However, this decision raises concerns about dependency on external communication infrastructure
and highlights the importance of self-sufficiency in times of geopolitical tension.
The European Union has recently imposed new sanctions targeting digital
information manipulation in the context of disinformation campaigns supporting Russia's
invasion of Ukraine. This latest round of sanctions focuses on an operation known as
Recent Reliable News. The EU identified the creation and operation of over 270 proxy news outlets
that amplified coordinated Russian propaganda.
Entities sanctioned include InfoROS, a news outlet closely connected to Russia's GRU,
considered the coordinator of recent reliable news.
Additionally, ANO Dialog, a Russian not-for-profit associated with Russia's Department of Information and Technology, has also faced sanctions.
Moreover, the Institute of the Russian Diaspora, the social design agency Struktura National Technologies, and two Russian IT firms have been subjected to EU sanctions. The measures involve asset freezes and prohibitions on EU citizens funding
these organizations, and designated individuals are forbidden from entering or transiting through
EU countries. As Ukraine grapples with the ongoing war, cybercrime persists even under
wartime conditions. In a recent development, Ukraine's security service announced that it successfully dismantled a network of illicit fundraising sites, facilitating the conversion of Russian rubles into Ukrainian currency.
This network exploited various sanctioned Russian crypto payment services, conducting monthly currency turnover exceeding $4 million.
turnover exceeding $4 million. The Security Service of Ukraine discovered and shut down underground exchange points in cities including Kyiv and Kharkiv, demonstrating the nation's
determination to tackle financial crimes even amid geopolitical turmoil. And finally, Nozomi
Networks released their OT-IoT security report for the first half of 2023. The report highlights a surge in network scanning activities in water treatment facilities,
clear text password alerts across the building materials industry,
program transfer activity in industrial machinery,
OT protocol packet injection attempts in oil and gas networks, and more.
The researchers note there are three main categories of OT and IoT cyber incidents,
opportunistic, targeted, and accidental.
Over the past six months, opportunistic attacks remain the most prevalent
and will continue to flood traffic via DDoS attempts,
enumerate common weaknesses and vulnerabilities for initial access,
and trial and error malware strains regardless of network domains and target systems.
So, recently at least, industrial organizations seem to be facing
much the same sorts of attacks other organizations do.
Whether state actors like Volt Typhoon would represent a more focused
and disruptive threat to industrial processes themselves, remains to be seen.
Coming up after the break, Ben Yellen unpacks Fediverse security risks.
Our guests are Mike Marty, CEO of the Retired Investigators Guild,
and Tom Brennan, Executive Director of CREST,
discussing their efforts on cybercrime investigation and cold-pace resolution.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Tom Brennan is executive director of Crest International,
a global nonprofit that focuses on accreditation and certification
of cybersecurity professionals within their member companies.
Crest recently announced a partnership with another nonprofit organization called the Retired Investigators Guild, the RIG for short,
along with the release of a co-authored research paper titled Building an Effective Cybercrime Unit.
Mike Marty is CEO of the RIG. You know, our mission is a pretty
simple one. It's restoring America's faith in law enforcement and continuing the tireless pursuit
of criminals in the interest of victims of violent crime. And one of those things, the vehicle in
which violent crime usually is riding in, is some sort of cyber component. That's where I believe the connection between
CREST and RIG is so important. We assist law enforcement agencies with subject matter experts
to help them in major crimes investigations. You all shared some interesting statistics here about
folks who've retired from law enforcement and how an organization like The Rig really gives them an opportunity
to use their skills beyond retirement. Yeah, Dave, it's one of those things that,
you know, I'm a retired homicide investigator, retired from the Douglas County District
Attorney's Office as the chief investigator, working numerous homicides that span the globe.
The average lifespan for somebody like me upon retirement is between
six and nine years. That's a lot of mental issues, a lot of medical and health-related issues that
come with the job. What we attempt to do with RIG investigators is reinvigorate them, get them
passionate about the things that they're subject matter experts in, and direct them to helping
solve cold cases and assisting
with major active cases. Well, let's dig into this research paper. This is Building an Effective
Cybercrime Unit. What are you all hoping to accomplish here with the paper? The goal of the
paper is to outline some practices that are sometimes not well discussed. One of the common
themes that we found in speaking with organizations and agencies around the world
was sometimes the large metropolitan locations
have a pretty good framework that they pull from.
But again, smaller organizations or organizations
that may not be as staffed struggle with what that looks like.
So we help them with identifying both the mapping to the strategy
and some of the minimum standards and what some of those performance indicators may be in running an effective cyber squad, particularly investigating cyber crime.
So there's a component there, as Mike mentioned, I think, that whether it be a homicide, whether it be a kidnapping, whether it be something in that space, nowadays technology is used in just about everything, right?
So there needs to be a component there that is looked upon. And then also spinning around,
when organizations are under attack, we have law enforcement agencies that are being
attacked physically and electronically, and then data integrity is at risk. So let's say you have
undercover operatives or you have individuals that are working on cases or matters, and the
data integrity is disrupted. That can cause significant impact to the victims affected.
You know, Mike, I'm curious where we stand when it comes to law enforcement organizations
having cybercrime units. I'm imagining there's such a broad spectrum. You know,
there's small town police forces and all the way up to something like New York City, which is a huge employer and everything in between.
Overall, what's your sense of where organizations stand in terms of trying to address this issue?
Across the United States, we're behind the eight ball.
We're behind the eight ball because technology advances at such a rapid pace.
And corporations have the money to fund that.
As far as investigations and preventing cybercrime, local law enforcement agency in your
small town barely has the budget to keep men and women on the street, let alone protect their
critical infrastructure and, you know, some of the backbones of their IT network. So, you know,
in my opinion, professionally speaking,
I think that, you know, law enforcement's behind the eight ball when it comes to how prepared we are.
And then investigating those crimes,
let's talk about subject matter expertise.
You maybe have one computer forensics expert
in a small town that services, you know, many jurisdictions.
So overworked and not enough
men and women to do the job. To what degree is there an educational component here as well? I
mean, you know, as you say, cybersecurity and these cyber crimes, they evolve so quickly.
I can imagine it's a challenge for a detective, a law enforcement officer just to keep up.
Yeah, you know, just in standard training, right? Most law enforcement agencies across
the United States have anywhere between 24 and 48 hours of mandatory training just to
be a basic peace officer. Then layer on top of that the specialty assignments that they have.
Now let's talk about computer forensics or cybersecurity. That in and of itself is an
educational path that is in its infancy right now in law enforcement.
And so that's one of the things that I think this partnership between Crest and the RIG will help do with our outreach into those law enforcement agencies to bring a trusted partner with us on our journey.
You know, Mike, you all sent over some statistics ahead of our interview here, and I
found it rather sobering how few organizations have cold case units. What is the response that
you all are getting when you're reaching out to these understaffed organizations and saying,
hey, you know, this may be a potential resource for you? It's been tremendous and welcoming.
You know, I can tell
you as, you know, a former chief, if somebody came to me with this opportunity to have no strings
attached for free subject matter expertise inserted in on a cold case or a major crime
that's active and I didn't have the bodies, this is huge. And so, you know, what we are combating
right now is the funding piece
to fund us so that we can do these things
at no cost for law enforcement agencies.
But it's been overwhelming,
overwhelming support from law enforcement.
That's Mike Marty, CEO of The Rig,
joined by Crest International Executive Director, Tom Brennan.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Good to be with you again, Dave.
So, Ben, you are still hanging out over on the platform formerly known as Twitter, right?
Yes, I'm a dead-ender for X, previously known as Twitter.
Are you X-ing or whatever we call tweets these days?
Z-ing, X-E-E-T, I guess is the preferred parlance.
called tweets these days. Zeding, X-E-E-T, I guess,
is the preferred parlance.
Yeah, as bad as it gets now,
as awful as the user experience has become,
I will be there until its last dying day.
Why?
I think it's network effects.
I already have a lot of friends
and acquaintances who are on there.
I have a lot of really interesting
conversations with people.
I've built up that network
over a long period of time,
and it's going to be very difficult to recreate somewhere else. I'm certainly not happy about it.
It's like quitting smoking, right? Or something like that.
It is. Yeah. No, I mean, your body becomes so dependent on it. It's just so hard to quit. Yeah.
I mean, I wish I could quit and I guess I should hold out the possibility
that it gets so bad, but I do consider myself a dead ender.
Okay. Well, I and lots of people like me have put our Twitter accounts into hibernation
or deleted them altogether and found greener pastures over on Mastodon, which, of course, is the federated Twitter-like service.
I guess microblogging is the probably correct term of art for what happens there.
Right. That feels very 2011, but I guess we're still calling it microblogging.
Right, right.
And the big deal with Mastodon is that it is not centralized.
It is part of the Fediverse, and federation means it
functions more like email does, where instead of one big central place where everything happens,
you have lots of servers peppered all over the world, and you sign up to use a particular
instance, and that's where your stuff lives, and it gets sent out to the rest of the Fediverse.
And so this distributed model
certainly has its pluses and minuses. But thanks to everything that's going on at Twitter,
it's gained a lot of popularity. So that leads me to this article from the EFF,
the Electronic Frontier Foundation. And it's written by Cindy Cohn and Rory Meir. It's titled
FBI seizure of Mastodon server data is a wake-up call to Fediverse users
and hosts to protect their users. And evidently this deals with an individual who was hosting
a Fediverse instance, a Mastodon instance, who because of unrelated allegations had basically every piece of electronic equipment in his home seized by the police,
including the Mastodon server that he was running.
Right.
That's an issue.
That's a huge issue.
And it's something that's happened historically.
The EFF was involved in a case 30 years ago.
It's amazing that they've been in existence that long.
Yeah.
But good for them.
And this involved a case called Stephen Jackson Games versus the Secret Service. It concerned the seizure of
vast amounts of equipment from an individual named Steve Jackson, who had a games business in Texas.
There were unfounded claims of illegal behavior. They went in and kind of just took everything
from this guy's house. The police did. yeah. The police did, yeah, exactly.
And in doing so, they nearly drove this company out of business.
The EFF was involved in litigation.
They won that case, but that hasn't changed federal law enforcement's approach.
I think that this really runs afoul of the spirit of the Fourth Amendment,
which is about having particularized warrants.
Now, in each of these cases, there was a warrant.
This wasn't a warrantless search.
The government got authorization based on probable cause to go into this guy's house.
Right.
So that's good.
But the warrants should not be so overbroad that it justifies the collection of all electronic equipment.
It should only justify the collection of that very equipment or device or whatever that is necessary to investigate the case.
And anything that is deemed unnecessary to investigate the case should not be seized as part of that search process.
And I think that would comply with the true spirit of the Fourth Amendment, which going back centuries was about our English legal ancestors being concerned that the king was going to authorize a raid on somebody's house to just kind of see what they found, see if there were any
materials that were disapproved of by royalty and by the king's minions. So that feels kind of
oddly analogous to what's happened here. And I think certainly the case with Mastodon is eye
opening and I think should give us warning about what would happen if law enforcement continues on this path.
But Ben, if I'm law enforcement and I have made the case to a judge that there's probable cause that this person is up to no good, how am I going to know if what I'm looking for or how am I going to know the location of what I'm looking for until
I have a chance to look around? I mean, warrants should be as particularized as possible. You
should describe the items to be searched or items to be seized in a very particular manner. Otherwise,
it becomes overbroad. So if I said, I suspect Dave of committing computer crimes and I raided your house and took every last piece of equipment, yes, that would probably comply with – I could probably get a warrant to do that.
It seems like federal law enforcement has been able to obtain warrants that are that broad.
But it would be unfair because it wouldn't be particularized to the piece of equipment on which you were committing those crimes.
I guess you aren't a great example because unlike the person in this case,
you are not hosting a key server involved in the Fediverse, which has cross-market impacts.
Well, but let's dig into that.
I mean, in the time we have left, why should that matter that one of the pieces of equipment gathered
also affected people who had nothing to do with any of this?
Yeah, I mean, I just think it gives all of us a stake in trying to develop a better standard for this type of collection.
Maybe we think it'll never affect us because we don't commit crimes.
And we think if federal law enforcement is going to somebody's house pursuant to a warrant based on probable cause that person has committed a crime,
then what's in it for us?
I mean, who cares?
Right.
But the reason we care is it could be this person's house
that has something like this Collectiva.social server used for Mastodon
and that could affect all Mastodon users.
I mean, that's the way the Fediverse works.
So, yeah, I just think it gives everybody more of a stake in the outcome of these searches and seizures.
And it makes it more of a policy issue rather than just an issue for a single criminal defendant.
Right. All right. Interesting to ponder.
Ben Yellen, thanks so much for joining
us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Breaking news happens anywhere, anytime. Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to
know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us
ensure we're delivering the information and insights that help keep you a step ahead in the
rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The Cyber
Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and
automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.