CyberWire Daily - Familiar threat actors are back in the news. Big Tech’s testimony on Capitol Hill had less to do with Section 230 than many had foreseen.
Episode Date: October 29, 2020Some familiar threat actors--both nation-states and criminal gangs--return to the news: Venomous Bear, Charming Kitten, Wizard Spider, and Maze. Mike Benjamin from Lumen looks at the Mozi malware fami...ly. Our guest is Neal Dennis from Cyware on why it's time for organizations to step up their data sharing. And Big Tech’s day on Capitol Hill involved more discussion of censorship and bias than it did Section 230 of the Communications Decency Act. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/210 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Some familiar threat actors, both nation states and criminal gangs,
return to the news.
Venomous bear, charming kitten, wizard spider and maze? Oh my.
Mike Benjamin from Lumen looks at the Mosey malware family.
Our guest is Neil Dennis from Cyware on why it's time for organizations to step up their data sharing.
And Big Tech's day on Capitol Hill involved more discussion of censorship and bias
than it did Section 230 of the Communications Decency Act.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 29th, 2020.
Several familiar threat actors are back in the news.
Some represent states, others are just criminal gangs.
We'll take up the state actors first. The Russian government operation Turla, also known as
Venomous Bear, is back. According to Accenture's cyber threat intelligence researchers, Turla has
hacked an unnamed European government. Bleeping Computer reports the Russian group deployed
recently updated remote administration Trojans and remote procedure call-based backdoors in attacks between June and October of this year.
The Estonian government and others have associated Turla with Russia's FSB,
the Federal Security Service, a principal successor to the old Soviet KGB.
CyberScoop's discussion of the reasons behind Turla's repeated success focuses on the care,
patience, and attention to detail
the threat group uses to gain access to its targets.
Embassies and diplomatic missions have figured high on Turla's target list,
but it's also made attempts on military organizations, including United States Central Command.
Accenture's report concludes,
Turla will likely continue to use its legacy tools, albeit with upgrades, The actor's report concludes, quote, The other state actor in the news comes courtesy of Tehran. and build detections aimed at thwarting this threat actor. End quote.
The other state actor in the news comes courtesy of Tehran.
Microsoft has reported successful efforts by the Iranian threat group Redmond Tracks as Phosphorus, also known as APT35 or Charming Kitten,
to access accounts belonging to people thought likely to attend the Munich Security Conference
and the Think20 summit in Saudi Arabia. Charming Kitten's goal this time around appears to have been
collecting intelligence on foreign policy. The initial entree is gained, as is usually the case,
through phishing. People whose background and expertise make them plausible participants in
the two high-profile conferences are being sent spoofed invitations by email.
COVID-19 restrictions serve as an aid to the plausibility of the invitation.
If you live, for example, in Rio de Janeiro,
you might not be likely to hop on the next Lufthansa run to Munich,
but signing up to attend a conference online is a different matter altogether,
and the fish bait proffers access to remote sessions that anyone might well be tempted to consider.
Once you sign up, well, the credential harvesting begins.
Microsoft says,
The emails used near-perfect English and were sent to former government officials,
policy experts, academics, and leaders from non-governmental organizations.
The U.S. Cybersecurity and Infrastructure Security Agency,
with the FBI and the Department of Health and Human Services,
yesterday issued a warning that the RYAC operators
were conducting a very large campaign against U.S. hospitals.
Much of the ransomware deployment is being conducted from the revived TrickBot Trojan,
somewhat impeded but still affected.
The Raiak operators are sometimes known by the name security firm CrowdStrike gave them,
Wizard Spider. They're a Russophone criminal gang, not a unit of the intelligence or security organs.
Raiak may be run by feral, consciousness criminals, but at least they can't be
accused of pious hypocrisy.
They're not among the gangs who promised to put healthcare organizations on a do-not-touch list,
nor are they among the crooks posturing as Robin Hoods by making donations to charity.
RIAC is run by old-fashioned bandits with no interests beyond the main chance.
Organizations in the healthcare and public health sector should be especially on their guard.
Their services are more important than ever during the pandemic, and any disruptions are a serious matter. CISA has some useful advice on its site. One prominent and much-repeated bit of advice is
that you shouldn't pay the ransom. Not only does that fuel the bandit economy, but there's no
particular reason to think it will do you any good.
An effective preparation and recovery plan should be well within the grasp of any healthcare organization. And there are signs that a prominent ransomware group may be shutting down.
Bleeping Computer says that the Maze Gang appears to be closing its operation.
New infestations appear to have stopped in September,
and the gang is making what appears to be
a last-minute push for payment from its existing victims.
Mays is well-known as a criminal innovator.
The gang was among the first to combine
conventional ransomware with direct blackmail,
stealing as well as encrypting its victims' data
and threatening to release it online.
It's also been marked by its relatively sophisticated media relations,
acting more like a corporation with a public affairs office
than like a collection of thugs beating their chests in some biker bar.
The speculation about a shutdown comes largely from fringe chatter and rumor.
When Bleeping Computer contacted Maze's press contacts,
the only answer they got was a coy, wait for the press release.
Other criminal operators have shut down in the past,
and if Mays does close its doors, that's not to be taken as unalloyed good news.
It won't mean they've seen the error of their ways and gone straight.
It's just that they'll have shifted operations to another criminal toolbox.
In the case of Mays, that's likely to be the relegated Egregor ransomware.
And finally, according to the Wall Street Journal,
yesterday's U.S. Senate Commerce Committee hearings
largely addressed senatorial concerns about online platforms' content moderation.
Facebook, Google, and Twitter CEOs testified.
TechCrunch complains that Section 230 was hardly addressed, at least not directly.
Section 230 of the Communications Decency Act is the law that gives Internet platforms
the intermediate status they presently enjoy,
with most of the benefits of a neutral public square on the one hand
and a publisher on the other,
but without many of the responsibilities or liabilities of either.
Section 230 has been widely credited with fostering the growth of the Internet,
but its continuing utility has come into question in recent years,
as the Internet strikes many observers as having outgrown the need for that sort of shelter.
Questions were perhaps predictably partisan,
with Republicans concerned that Big Tech was censoring speech Big Tech didn't care for, but conservatives liked, and Democrats concerned that Big Tech wasn't censoring enough speech progressives didn't like.
In general, Twitter's Dorsey was the most defiant, Google's Pichai the most determinedly respectable, and Facebook's Zuckerberg the most, well, maybe we could all do better
and let's all try to get along.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The online criminal bad guys and gals have long established a culture of information sharing,
dating back to the days
of dial-up BBSs to today's dark web forums and markets. Our guest, Neil Dennis from Cyware,
says it's time organizations took a page out of the hacker's handbook and stepped up their
information sharing. Today, we're very fortunate where we're at, I think, personally, technologically
and scale of what's going on today than where we were maybe, say, even five years ago.
Today, we see a lot of new technologies out there that are able to standardize and facilitate
the machine-to-machine aspects of things that, when I first got into the ISAC world a handful of years ago,
were not really well-founded.
We've got a lot better standards, a lot more initial adoption around even some of those
standards, which is obviously key. But even more importantly, five, six years ago, ISALs as a
concept were new. We kind of had that happen in 2015 with the executive order. But we've gone
from nothing to a lot of little things. And we're kind of reaching, I think, critical mass in the sense where most of them understand that they still can't, even if they have a hundred member
base or 10,000 member base, they can't necessarily continue to go at it alone. So a lot of them are
starting to foster legit relationships between those communities and starting to have those
more kind of open door policies for sharing between, at the very least, between the analysts that facilitate the community, at the very least, if not actually fostering like cooperative groups and things like that and moving that ball forward a lot.
So we're definitely not to the 100% mark, but we are starting to see a lot more collaborative environment, even within the actual communities themselves, like intercommunity.
And that's a big key development, I think.
And just for clarity, ISALs are information sharing and analysis organizations, and ISACs are information sharing and analysis centers.
What is holding folks back at this point, the people who are still feeling a little resistant to it,
what's getting in their way? There's a couple of things. There's a lot of people, especially in
the ISAC world specifically, not the ISAC world, a lot of people get involved and there have some
legal concerns. I think that the structured legality of an ISAC blatantly provides you
with a little bit more overhead on what
constitutes safe to share information versus what would be considered a breach. And even then,
within ISACs, they still have some concerns. But long and short, I sounds that that legal overhead
is a little fuzzier for good reasons. We didn't want to, the government didn't want to dictate
too much within that. They kind of wanted to see this kind of native growth
within the industries for these things. And so I think legality issues, concerns around that,
understanding what is okay to share, what's considered non-compete, what's considered
competitive share, you know, in those antitrust laws and things of that nature. And then the other
part of that, just, you know, institutionalizing and adopting of both, you know both the human-to-human interface and then that machine-to-machine component.
So technology plays a good role in lack of adoption.
We're still new as a whole to this idea.
And people's first questions, one of the first ones is, hey, is there actually any value proofed out from this?
Has anybody shown that me being involved in these organizations actually matters other than just me saying I'm there? And once again, we're reaching
that critical mass, we're reaching that capability where we can start showing these things. And we
have use cases and scenarios that proof out the value of these communities. And hopefully in the
next year to two years, you know, what's available now just exponentially explodes as we start
building more around those use cases and those scenarios that show that value added.
That's Neil Dennis from Cyware.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Mike Benjamin.
He's the head of Black Lotus Labs, which is part of Lumen Technologies.
I want to talk today about something you and your team have been tracking,
and you call it MOSI.
What's going on here?
MOSI is a malware family that targets IoT devices.
And it's interesting because the actors behind it
have taken some of the source code from a few different IoT families
and put them together to create a new generation of malware.
And so this particular malware family is capable of DDoS attacking,
capable of data exfiltration.
And then, as many families do these days, it supports arbitrary payload execution.
So the actors at the end of the day can tell us to do just about anything on the endpoint that's infected.
What's interesting about this compared to many of the other IoT families is that this one is a peer-to-peer network rather than a simple hierarchical C2 back to a single or a small subset of domain names. So it works from a network perspective very different,
but at the end of the day, the DDoS code came directly from other families.
Now, why peer-to-peer? What are the advantages here that it gives the attackers?
here that it gives the attackers? You know, it's interesting. Just as some attackers like writing in C and others write it in Go, in many cases, it's a preference of the tooling of the particular
actor group. There are benefits to them that from a takedown perspective can be a little more
difficult to remove the infections. However, from a control perspective, it can be more difficult for them.
So making sure that they maintain access to the network
and access to the infrastructure can be difficult.
It's also more code to maintain
in order to maintain the distributed tables
and other things,
even when they're taking code
from other open source projects,
it's still a larger software development exercise
than a simple TCP socket to a standard C2.
Now, what kind of devices is MOSI targeting here?
Well, unfortunately, it's the same answer we give to a lot of IoT malware families.
So it's consumer-grade routers, and it's small business and consumer-grade DVRs and NVRs.
It's the same embedded Linux systems that we've sort
of been plagued by in this space for the last few years. It really isn't changing. I am happy to
report that at least they are new generations of devices. They are different vendors. They are
different software revs. And so whereas a few years ago, we were seeing the exact same revs
and the exact same vendors just get compromised over and over. The industry is getting better, and it is taking a little longer for the actors to release
new exploits, to incorporate new exploits, and they are going away faster once they're incorporated.
So we're getting better, but I'd rather not come on and tell you that it's consumer routers and
NBRs again in the future. So we've still got room to improve. Yeah. What can we do to stop this? What's effective for shutting it down?
Well, the first is making sure things are patched, making sure you're buying equipment
that auto-patches or is capable of patching is the most basic. But even then, making sure that
the TCP connections are not available to the open internet. And so most of these actor
groups, they scan the internet on some pretty common ports, use some pretty well-known exploits.
So if the port's not open and the exploit doesn't work, they're going to move right on.
There's pools of thousands and thousands of these things. As of this morning, this botnet is about
14,000 strong. That your one individual home is just not going to be of
interest if they can't connect to it. They're going to move to the next one. I see. Interesting.
All right. Well, Mike Benjamin, as always, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Make a run for the border. Listen for us on your Alexa smart speaker
too. CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Harold Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.