CyberWire Daily - DPRK cyberespionage update. New cybercriminal TTPs. The state of DevSecOps. Hacktivism and the nation-state. Cyberwar lessons learned. A free decryptor for Key Group ransomware.
Episode Date: September 1, 2023A VMConnect supply chain attack is connected to the DPRK. Reports of an aledgedly "fully undetectable information stealer." DB#JAMMER brute forces exposed MSSQL databases. A Cyberattack on a Canadian... utility. The state of DevSecOps. A look at hacktivism, today and beyond. Betsy Carmelite from Booz Allen on threat intelligence as part of a third-party risk management program. Our guest is Adam Marré from Arctic Wolf Networks, with an analysis of Chinese cyber tactics. And a free decryptor is released for Key Group ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/168 Selected reading. VMConnect supply chain attack continues, evidence points to North Korea (ReversingLabs) Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware (Securonix) Montreal electricity organization latest victim in LockBit ransomware spree (Record) LockBit ransomware gang targets electrical infrastructure organization in Montreal (teiss) [Analyst Report] SANS 2023 DevSecOps Survey (Synopsys) SANS 2023 DevSecOps Survey (Application Security Blog) Government Agencies Report New Russian Malware Targets Ukrainian Military (National Security Agency/Central Security Service) Russian military hackers take aim at Ukrainian soldiers' battle plans, US and allies say (CNN) Ukraine: The First Cyber Lessons (AFCEA International) The Return of Hacktivism: A Temporary Reprise or Here for Good? (ReliaQuest) Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang (EclecticIQ) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A VM Connect supply chain attack is connected to the DPRK.
Reports of an allegedly fully undetectable information stealer, A VM Connect supply chain attack is connected to the DPRK.
Reports of an allegedly fully undetectable information stealer.
DB Jammer brute forces exposed MS SQL databases.
A cyber attack on a Canadian utility.
The state of DevSecOps.
A look at hacktivism today and beyond.
Betsy Carmelite from Booz Allen on threat intelligence as part of a third-party risk management program. Our guest is Adam Mare from Arctic Wolf Networks with an analysis of Chinese cyber tactics.
And a free decryptor is released for key group ransomware.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, September 1st, 2023. We begin with some notes on the latest badness out of Pyongyang.
Reversing Labs continues to track VMConnect,
a supply chain attack involving malicious packages
posted to the PyPy package repository.
Reversing Labs says,
the research team has identified three more malicious Python packages
that are believed to be a continuation of the VM Connect campaign.
Table Editor, Request Plus, and Request Plus Pro.
As happened with the Reversing Labs team's earlier VM Connect research,
the team was unable to obtain copies of the Stage 2 malware used in
this campaign. The researchers note that the campaign has overlaps with previous attacks
attributed to Labyrinth Colima, a branch of North Korea's Lazarus Group.
Cypherma is tracking a new malware-as-a-service offering called Prismax, advertised as a fully undetectable
information stealer. Cypherma notes that currently the malware is indeed fully undetectable by over
95% of signature-based detections commonly employed by antivirus solutions. The researchers
add that the info stealer strategically manipulates file associations, enabling it to execute whenever any.exe file is run.
This technique ensures that the malware is triggered seamlessly whenever legitimate executable files are opened, potentially leading to persistent infection.
Securonics warns that DB Jammer attack campaigns are targeting exposed MS SQL databases with brute force attacks in order to deliver a free world ransomware.
The researchers note, one of the things that makes DB Jammer stand out is how the attacker's tooling infrastructure and payloads are used. Some of these tools include enumeration software, rat payloads, exploitation and credential stealing software, and finally ransomware payloads. Securonix adds, free world ransomware appears to
be a variant of mimic ransomware as it follows many similar TTPs in order to carry out its goals.
Both variants appear to abuse the legitimate application everything
to query and locate target files to be encrypted.
The LockBit ransomware gang has claimed responsibility
for an attack against an electrical infrastructure utility in Montreal,
the record reports.
The utility, the CSEM, said,
the criminal group at work in this case has made public today some of the stolen data.
The CSEM denounces this illegal gesture while specifying that the data disclosed represents a low risk for both the security of the public and for the operations carried out by the CSEM.
It should be noted that all CSEM projects are the subject of public documents.
It should be noted that all CSEM projects are the subject of public documents.
Therefore, all these plans, engineering, construction, and management,
are already publicly available through the official process offices in Quebec.
And CSEM says it has no intention of knuckling under for the crooks.
They can go whistle for their ransom.
SANS has published a report commissioned by Synopsys looking at trends in DevSecOps.
The survey found that respondents deemed the most useful activity in their security efforts to be upfront risk assessments that occur before development starts.
That's up from the ninth position in 2022.
The survey also found that an increasing number of organizations
are leveraging AI to assist in their DevSecOps efforts.
Sands writes that a new trend in this year's report
is the number of respondents exploring artificial intelligence
and data science for enhancing DevSecOps.
This year shows a significant increase in the use of AI or data science
to improve DevSecOps through investigation and experimentation, up from 33% in 2022 to 49% in 2023.
This trend mirrors the broader industry trajectory as organizations increasingly leverage AI to automate and augment their security measures.
increasingly leverage AI to automate and augment their security measures.
ReliaQuest has taken a look at what it regards as a resurgence of hacktivism and finds this resurgence driven largely by Russia's war against Ukraine.
The new hacktivists are not the independent actors of Anonymous's early days.
Indeed, Anonymous proper has faded away.
Instead, they're state-inspired and
state-directed, sometimes as more or less regular auxiliaries like the IT Army of Ukraine,
sometimes as semi-criminal organizations, and sometimes as simple fronts for state intelligence
services. Groups like Killnet and various privateering gangs represent the distinctive Russian contribution to this hacktivist resurgence.
Reliaquest writes,
The lines of attribution between threats are blurring.
It's becoming increasingly difficult for security researchers and defenders to distinguish between cybercriminal, nation-state, and hacktivist activity,
with many of these groups using similar techniques or
deliberately obfuscating their identities. DDoS attacks have become the predominant mode of
hacktivist activity, and hacktivists have become increasingly accustomed to using commodity malware
available in underground forums. And of course, hacktivism will continue to provide opportunities for nation-states to hide behind deniable front
groups. ReliaQuest says it is also likely that nation-state groups will similarly obfuscate
their activity by masquerading as hacktivists, either from the outset or by leaving hacktivist
aligned artifacts to throw off defenders' attempts at attribution. AFSIA's Signal has published reflections on lessons learned
from the cyber phases of Russia's war against Ukraine.
This comes as reminders from NSA and others
of Sandworm's attempts at cyber espionage against Ukrainian military targets,
which continue to reveal the most recent set of Russian tactics, tools, and procedures.
to reveal the most recent set of Russian tactics, tools, and procedures. Ukraine has generally been successful in defending itself against Russian cyber operations, but it was in many respects a
near-run thing, with success stemming from a mix of preparation, improvisation, and urgent hard work.
Early in the war, Ukrainian authorities worked to relocate essential data and services abroad
beyond the reach of Russian kinetic attack. Cloud services became vital, but many government
agencies in particular were unprepared for cloud migration. International cooperation with both
friendly governments and the private sector was important and would have been eased by some
preparatory work to overcome inevitable language barriers.
Much of the successful improvisation, especially with respect to cloud migration and physical relocation,
was made possible by anticipatory preparation.
So, two major lessons are, first, prepare, and second, cultivate and exercise partnerships.
But the biggest lesson is this.
Russian offensive cyber capabilities were grossly overestimated.
So start early, cultivate partnerships, plan, prepare,
and remember that the adversary isn't 10 feet tall.
And finally, bravo to Eclectic IQ,
which has released a free decryptor for Key Group ransomware.
Key Group is a nasty Russian gang that targets individuals seeking personal information.
It both sells the data and holds the owners up for ransom.
Coming up after the break, Betsy Carmelite from Booz Allen on threat intelligence as part of a third-party risk management program. Our guest is Adam Marais from Arctic Wolf Networks with an analysis of Chinese cyber tactics.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
China's approach to the U.S. when it comes to cybersecurity has been complex and often contentious. In many ways, it mirrors the two nations' broader geopolitical interactions.
For insights on the threats cyber defenders face from Chinese adversaries,
I spoke with Adam Marais, Chief Information Security Officer at Arctic Wolf
Networks. To really understand what's going on today with China and our relationship to them
through cyber, we really have to understand what their ultimate goal is. And China's ultimate goal,
and this has been stated by them in various plans that they've released to the public,
is to become a recognized global superpower on par or greater than the United States. And so all of their operations
in the cyber realm are focused on that because they recognize that cyber power is key to achieving
that goal. So as a chief information security officer yourself, when you think of China, what are the first things that come to mind?
if not actually reading the threat intel.
And they're seeing an increase in capability.
They're seeing an increase in tempo of the announcements of breaches
that are attributed to China.
And also they hear things like
when the FBI director, Christopher Wray,
says that China has a bigger hacking program
than every other major nation combined
and have stolen more personal and corporate data
than all other nations combined.
It definitely brings it to your forefront of a risk to your own organization.
How, in your mind, is China compared to, say, Russia?
The Russian hackers, I suppose I should say, do they tend to be noisier?
So historically, China was known for less sophisticated, less technical attacks.
They were noisier, and they were mostly focused on intellectual property theft and some espionage,
including economic espionage as well as geopolitical.
But that is changing.
These intrusions, network intrusions, are becoming more and more sophisticated, more
stealthy, and increasingly more bold.
more stealthy, and increasingly more bold. I think the boldness is coming from the increasing tensions between the United States and China, especially in the last few years. And as those
intentions have increased, it appears that the willingness for China to attempt intrusions,
network intrusions that are at higher risk of being discovered, they're doing that more
often. And it really shows that this is a very important part of their plan around their
geopolitical objectives. Where do you suppose we're headed here? Any idea what the future
might look like? Obviously, everyone has a close eye on Taiwan.
Yeah, exactly.
And so one of the things I think we're seeing here is some peacetime preparation for real-world conflict that may arise.
So you pointed out Taiwan.
There's also other issues in the South China Sea.
in the South China Sea. And if any of those flashpoints were to become a real world conflict,
so when we actually have, you know, warfighter ships, something like that, exchanging blows or something happening in the real world, the cyber realm would certainly be part of that conflict.
And China would ostensibly try to dismantle their enemies, in that case, maybe the United States, ability to fight.
And they would do that through attacking key infrastructure.
So we have already seen and discovered breaches into U.S. key infrastructure, things like communication networks in Guam and in other places like this.
networks in Guam and in other places like this. And Jen Easterly, the director of the U.S.
Cybersecurity Infrastructure Agency, has warned multiple times this year about China using their formidable capabilities in gaining intrusion into critical infrastructure that would be used in the
case of one of those conflicts. Another thing she points out is it wouldn't just be attacking our ability to fight in the region. They could also attack critical infrastructure in the United
States in the hopes that that would dissuade support from the citizens of the United States
to support such a conflict. So you can imagine if there's a conflict over Taiwan, and yet,
you know, the water system or communication system or bus transit is not working
in a major U.S. city, maybe folks would say, well, I don't care that much about that conflict over in
Taiwan that doesn't affect me. I care about getting clean water into my house and therefore I don't
want to support this. I think that we're going to see that kind of thing in addition to disrupting,
you know, direct military communication lines. What sort of recommendations are you and your colleagues there at Arctic Wolf
making to your own clients to prepare for some of these possibilities?
Yeah, so the first thing is to really understand the threat that you're facing.
And recently, there was a joint intelligence briefing that came out
about Chinese hackers using living off the land techniques to avoid detection. Again, this is
showing an increase in the sophistication of attack. But the first part, stepping back and
answering the question, what do we tell our customers? The first thing is to really understand
the threat. So you as an organization might not think China would have any interest in you, but there's a couple of things that you should know. One is that for years,
the Chinese have focused on intellectual property theft that you wouldn't expect.
There was one case I was familiar with when I was still working for the government where
Chinese hackers actually stole engineering plans for residential commercial sprinkling systems.
So you can think if they're going that deep into what they're interested in, they may be interested in something
in your company, in your business. The second thing is they're increasingly using supply chain
attacks. That means they could use your company as a vector, not to attack you, but to attack one
of your customers. So you also need to think about your customers when you're evaluating whether or not this is a threat that you face. Now, the good news is to start off and
protecting against this kind of threat is no different than increasing your general cybersecurity
program at your company. So this is going to be the basics. And this will be for companies that
maybe aren't as mature or don't have as large security teams. They're going to want to be focused on patching vulnerable systems,
managing their credentials, using multi-factor authentication, creating a strong culture of
security awareness in their company, all the basics. And we all see the breach reports that
come out each year. And these basics are usually the things that are compromised, especially
patching and mismanaged
credentials, weak passwords, and things like that.
So if you're wondering where to start, that is a great place to start.
And that's what we tell our customers and we help them with that security journey.
For companies maybe that are more advanced, they're going to be wanting to look at baselining
normal host behavior and starting to increase their detections on these more sophisticated
attacks. So you might look at what is normal behavior on your systems and then start to
monitor for even the use of built-in tools on endpoint systems, but maybe they're being used
in a strange way. So you can think of tools like PowerShell or WMIC in the case of Windows,
and you want to be able to prioritize
the logging of those things. Another thing that's helping is CISA, I mentioned earlier.
They are now publishing, and they have for a little while now, but they're publishing known
exploited vulnerabilities. And you can start to focus your energies on those known exploited
vulnerabilities, looking for the indicators of compromise that are published to start doing threat hunting for this kind of threat.
And I highly recommend signing up for the regular emails that come out of CISA and other organizations
to help inform your security team to start looking for these kind of very stealthy and agile attacks
so that you can detect them. But that would, of course, be if
your company is more advanced in their security journey. And finally, you're going to want to,
everyone is going to want to take a look at their supply chain. You're going to want to conduct a
full review of your supply chain. This means SaaS vendors that you use, where you get hardware from,
all of these things to look and say, what is the security of the
supply chain that I use directly? And what is the security of these organizations? You know,
when we think of vendor due diligence, we think of other parts of your supply chain,
and you're going to want to make sure your security team, your procurement team,
your sourcing team are all working together to make sure we understand what we depend on,
not just for your business continuity planning in case of an incident, but also understanding what is the risk that one of these vendors is
compromised and therefore we are compromised. That's Adam Marais, Chief Information Security
Officer at Arctic Wolf Networks. And joining me once again is Betsy Karmelik.
She is a principal at Booz Allen Hamilton for Cyber Defense Operations.
Betsy, it is always great to welcome you back.
You know, there's been a lot of talk lately about third-party risk,
and I wanted to touch base with you about how threat intelligence ties in
to how organizations are approaching third-party risk management.
Yeah, thanks, Dave, and it's great to be back.
We look at threat intelligence as being able to help mitigate the risk
coming from third-party partners and systems.
And by that, we mean it can provide the context behind vulnerabilities and attack surface
exposures that third-party connections and data transfers can introduce externally to
another organization.
And to put some definition around things, the risk coming from third parties is the potential for new vulnerabilities to be
added into or exacerbate an organization's existing attack surface. So the threat intelligence that
we want to be careful about defining is that analyzed information that identifies
adversarial or unintended harm, and it drives security decision-making, less the raw information
that you're getting off of monitoring and log data, turning that information into a more finished,
analyzed form. So that can inform how the vulnerability and security weakness
might be exploited in a specific organization circumstance.
You know, I always hear folks, when they talk about threat intelligence, they talk about
how important it is that it be actionable. Is that what you're talking about here?
Yeah, yeah. And there are a couple ways that threat intelligence can be actionable, but also better derived before moving into the action phase.
One thing, looking at the reconnaissance phase of an attack, and that's really where you do want to take the action, prioritize those reconnaissance and initial access phases of an attack for risk reduction. So you want to look at your internal threat intelligence.
That's the intelligence and data coming from an organization's networks and logs.
What story is that telling you? Again, not just the raw data. That's really the most helpful
intelligence for providing direct visibility into active exposures or any threats. And
direct visibility into active exposures or any threats. And when you're looking at that recon or initial access phase, an organization can identify if there is activity on its networks
that may be a result of an external connection. And perhaps that's scanning, extraction of personal
information, such as credentials or personally identifiable information,
also the gathering of internal database information or traffic leaving the network.
In the latter case, that's really in the danger zone.
So you want to be catching a lot of that intel
and looking at it against the recon phase.
So when we're talking about third-party risk management,
to what degree is it helpful to have third-party threat intelligence,
to have someone from outside the organization supplement your own internal threat intelligence?
Yeah, so that's an area where understanding where your sources are coming from
and what sources you can make use of is really important.
So there are companies that do specialize in customizable third-party risk management programs.
Because this is really hard work and complex, understanding all the entry points and all of the
intelligence and the vulnerability information that can affect those entry points. So they can
work with, let's just say, a critical infrastructure stakeholder to look at their specific threat
circumstances. But back to the data, threatened vulnerability information gathered from open
sources can be really helpful providing insights into internet-connected devices and interconnected devices,
and also the information that organizations and its employees expose.
That can tell us how attackers might exploit an enterprise,
and also realizing that attackers create threat intel about us.
So thinking like an attacker
and finding a threat intel provider
who can think like that attacker.
Also applying cyber psychology principles
and understanding how the attacker
would seek out social engineering entry points.
And many other entities can figure out
those social engineering entry points.
So what are your recommendations for folks to
just start down this path to better come at this? Organizations should conduct third-party
compromise assessments. And those are also based on threat intelligence and known
adversary capabilities. And the assessments will use the threat intelligence,
And the assessments will use the threat intelligence, specifically how actors, their tactics, techniques, procedures are already compromising networks and data to understand how the third party may have previously been breached or indicate the current potential for breach and exposure based on information gathered from the third party.
This is actually really critical also prior to partnering or prior to a merger and acquisition to have this kind of compromise assessment performed to know what you're really getting
into in terms of risk and how to mitigate it before going into the partnership.
into the partnership. And threat intelligence can also teach external entities and individuals how threat actors are escalating privileges. And we've seen this in several high-profile
and extensively damaging attacks to retailers, for instance, in the past decade. So
understanding where you can implement a privilege access management program is really a strong recommendation here.
All right. Well, Betsy Carmelite is a principal at Booz Allen Hamilton for Cyber Defense Operations.
Betsy, thanks for joining us.
Sure, Dave. Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no monthly fee RBC Advantage banking account
and we'll give another $100 to a charity
of your choice. This great perk and more
only at RBC. Visit rbc.com
slash get 100, give 100. Conditions
apply. Ends January 31st, 2025.
Complete offer eligibility criteria
by March 31st, 2025. Choose one of five
eligible charities. Up to $500,000
in total contributions.
And that's the Cyber Wire. A reminder, Monday is the Labor Day holiday here in the U.S. and we'll be taking the day off. We'll be back, of course, as usual on Tuesday. If you're off as
well, enjoy the long weekend. And if you're not, have a good productive start to the week.
Be sure to check out this weekend's Research Saturday
and my conversation with Christopher Russo and Stephanie Reagan from Palo Alto Network's Unit 42.
We're talking about their threat group assessment looking at muddled Libra.
That's Research Saturday. Check it out.
For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at
cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged
that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many Thank you. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor
is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here
next week.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.