CyberWire Daily - Flight-planning and rail services disrupted in separate incidents. BEC gang impersonates law firms. Effects of the hybrid war on action in cyberspace. And a farewell to Vitali Kremez, gone far too soon.
Episode Date: November 4, 2022Flight-planning services are affected by cyberattack, as are Danish rail service. A BEC gang impersonates international law firms. Effects of the hybrid war on action in cyberspace. Deepen Desai from ...Zscaler examines the evolution of the X-FILES Stealer. CyberWire Space Correspondent Maria Varmazis has an analysis of the Starlink situation in Ukraine. And a sad, final farewell to Vitali Kremez, gone far too soon. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/213 Selected reading. Boeing subsidiary Jeppesen's services impacted by cyber incident (Reuters) BREAKING: Boeing's Jeppesen Subsidiary Hit With Potential Ransomware Attack (Live and Let's Fly) Danish train standstill on Saturday caused by cyber attack (Reuters) Cyber incident at Boeing subsidiary causes flight planning disruptions (The Record by Recorded Future) Crimson Kingsnake: BEC Group Impersonates International Law Firms in… (Abnormal Security) New Crimson Kingsnake gang impersonates law firms in BEC attacks (BleepingComputer) Ukraine war, geopolitics fuelling cybersecurity attacks -EU agency (Reuters) Microsoft Extends Aid for Ukraine's Wartime Tech Innovation (SecurityWeek) Evaluating the International Support to Ukrainian Cyber Defense (Carnegie Endowment for International Peace) Cyber community mourns renowned researcher Vitali Kremez (The Record by Recorded Future) Remembering Vitali Kremez, Threat Intelligence Researcher (Bank Info Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k.
Flight planning services are affected by a cyber attack, as are Danish rail services.
A BEC gang impersonates international law firms.
The effects of the hybrid war on action in cyberspace.
Deepen DeSive from Zscaler examines the evolution of the X-Files stealer.
Maria Vermatsis has an analysis of the Starlink situation in Ukraine.
And a sad final farewell to Vitaly Kremez, gone far too soon.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 4th, 2022.
We open with a couple of stories that have affected different transportation sectors over the past week.
Boeing subsidiary Jeppesen has disclosed that its services were
interrupted by a cyber attack this week. Reuters describes Jeppesen as a provider of analytical
and flight planning services. The company said, we are currently experiencing technical issues
with some of our products, services, and communication channels. We are working to
restore functionality as soon as possible.
Among the services affected is the processing and distribution of NOTAMs,
notice-to-air missions. NOTAMs remain available from other official sources.
Live and Let's Fly reports that the incident may have been a ransomware attack.
Train service interruptions in Denmark last
Saturday have now been attributed to a cyber attack, Reuters reports. Danish rail operator
DSB said yesterday that an IT contractor, Supio, had been hit by a criminally motivated cyber
attack that led Supio to shut down its servers as a precaution. This had a cascading effect on rail service.
Security firm Abnormal Security is tracking a threat actor they call Crimson Kingsnake
that's launching business email compromise attacks by impersonating attorneys, law firms, and debt recovery services.
Crimson Kingsnake specializes in blind third-party impersonation
attacks, a term Abnormal uses to describe BEC attacks in which the threat actor doesn't have
direct visibility into the targeted organization's communications or business transactions.
The researchers say, based on our observations, a typical Crimson Kingsnake attack starts with an email impersonating an attorney and referencing an overdue payment the target's company owes to the firm or a company they represent.
The impersonated attorney and the law firm they purportedly work for actually exist in the real world, so if the target ran a Google search for either, they would actually find results for the impersonated parties.
To add legitimacy to their communications, Crimson Kingsnake uses email addresses hosted
on domains closely resembling a firm's real domain. The display name of the sender is set
to the attorney that is being impersonated, and the email signature contains the firm's actual company address.
Since March of 2022, we've identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies
in the United States, the United Kingdom, and Australia.
Many of the firms referenced in Crimson Kingsnake attacks
are major multinational practices with a global footprint.
If an employee replies to one of these emails, the attacker will send them a phony invoice
requesting tens of thousands of dollars. If the employee questions the invoice,
the attackers will impersonate an executive at the employee's company authorizing the transaction.
So, the social engineering mingled the authority of a law firm
with the fear that legal letterhead often induces.
It's proved enough to get some people to lower their guard.
Russian cyber campaigns have so far not worked the widespread devastation
on Ukrainian and allied infrastructure that had been expected at the
outset of the war. But ENISA, the EU's cybersecurity agency, finds that the war has nonetheless shaped
activity in cyberspace. ENISA's Threat Landscape 2022 report says, the geopolitical situations,
particularly the Russian invasion of Ukraine, have acted as a game-changer over the reporting
period for the global cyber domain. While we still observe an increase in the number of threats,
we also see a wider range of vectors emerge, such as zero-day exploits and AI-enabled
disinformation and deepfakes. As a result, more malicious and widespread attacks emerge, having more damaging impact.
How and why the cyber phases of the hybrid war have developed as they have remains a matter for speculation and analysis.
The Carnegie Endowment for International Peace has issued an assessment of the state of international assistance rendered to Ukraine for its cyber defense.
state of international assistance rendered to Ukraine for its cyber defense. Such assistance is being considered as at least a partial explanation of Russia's failure to meet
expectations in its cyber campaign. The report offers a clear summary of pre-war expectations
of Russian performance in cyberspace, stating, many, though not all, pre-war assessments expected
that cyber attacks would play a
significant role in Russia's campaign. The strategic context suggested that although
Ukraine had much experience in defending against Russian cyber attacks and could call on motivated,
highly capable experts to protect critical targets, it would ultimately be unable to
prevent major harm to and exploitation of digital networks and data.
Ukraine's operational strengths would be outmatched by Russia's strategic advantages
of possessing some of the world's most powerful offensive cyber capabilities,
albeit with debatable strategic effectiveness,
and operating in a digital terrain that has been thought to favor the
offense over defense. Moscow appeared to be holding a decisive advantage in cyberspace.
Officials in Kyiv have credited assistance from the EU, the UK, and the US with providing major
assistance to Ukraine's cybersecurity. Western technology companies have also provided extensive support.
This assistance includes Starlink's provision of satellite communication services,
which the company this week has said will continue.
It also includes Microsoft's commitment of $400 million
to enable Ukraine to continue its use of Redmond's cloud and data services.
to enable Ukraine to continue its use of Redmond's cloud and data services.
The Carnegie Endowment's paper concludes with some lessons learned so far from the experience of Russia's war.
Overall, the lessons make the case for the effectiveness of collective defense,
stating,
Cyber defense at scale relies on the involvement of the largest commercial technology and cybersecurity companies.
Politics and geopolitics count in cyberspace just as everywhere else. Shared values are as important as shared interests. Government can be a catalyst and sponsor of large-scale cyber defense
involving commercial entities. And capacity building is valuable, but it is no substitute for capability reinforcement.
People will be drawing lessons from Russia's war against Ukraine for years,
but it's not too early to make a preliminary assessment,
and that's what the Carnegie Endowment has done.
We close with a sad note of farewell.
Vitaly Kremes, chairman and CEO of Adve Intel, died in a scuba accident this week.
He was a true white hat, much respected in the community, and he'll be missed.
Our condolences and wishes for consolation to all of his family, friends, and colleagues. Coming up after the break,
Dibin Desai from Zscaler examines the evolution of the X-File Stealer.
Maria Vermasis has an analysis of the Starlink situation in Ukraine.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Starlink satellite internet has been a valuable resource for the Ukrainian army fighting against the invading Russians.
The rhetoric around this tool has been complicated and at times confusing.
Our CyberWire space correspondent Maria Vermasis has the latest.
It's been a busy news cycle for anyone trying to follow the story about Elon Musk, Starlink, and the war in Ukraine. At first, Musk said he's
happy to provide Starlink to Ukraine, and then he says he can't do it anymore, and then he says,
wait, never mind, and I quote, to hell with it, and will continue to provide Starlink support
to Ukraine despite the costs. It can't be said enough that communication via Starlink has been crucial for soldiers fighting in Ukraine.
Mobile phone infrastructure is damaged, distances are often too impractical for radio,
so Starlink has been the option for battlefield command and control,
from sharing intelligence to controlling drone flights to simply communicating with families and with the outside world.
So while the debate roiled over who has been paying for Starlink access
and how to sustain the financial support for Starlink service in Ukraine,
wrapped up in all of this was controversy about Starlink connectivity
on the Ukrainian front lines, specifically in the south and the east,
just as Ukrainian fighters made some serious headway
into regaining territory starting in late september ukrainian fighters on the front
lines started reporting some major starlink outages which soldiers on the ground said had
a quote catastrophic impact as the zones of control and of war are often shifting quickly
satellite geofencing might not always reflect the on-the-ground reality.
And it's possible that the geofencing meant to keep Russia from using Starlink simply hadn't
been updated quickly enough to match the needs of Ukrainian fighters on the front.
But the timing of the Starlink outage did raise some eyebrows. Ukrainian fighters started seeing
outages around September 30th, and just a few days later,
on October 3rd, Elon Musk tweeted that perhaps Ukraine could put an end to this war by giving
Crimea and Donbass to Russia, which coincidentally also happens to be what Russian President Vladimir
Putin wants. A belief repeated by some Ukrainian officials was that perhaps the geofencing had purposely not been
updated to reflect Ukraine's newly regained territory. If the timing of Musk's tweets about
ceding territory to Russia seemed suspect, one could infer Musk's sympathies and see restricting
Ukrainian frontline access to Starlink as a decisive move to try and shift battlefield
conditions to Russia's favor.
But the inverse to that theory also follows.
If SpaceX purposely disabled Starlink connectivity in those areas,
it was perhaps to prevent Starlink from being used in a counteroffensive by Russian forces.
Both theories depend on your point of view of which side of this war Musk does or doesn't support.
But for his part, Musk hints in his tweets that the explanation could be a lot simpler.
Namely, it's Russian interference.
Here's a few words from Elon Musk himself
from his Twitter account.
Quote,
In addition to terminals,
we have to create, launch, maintain,
and replenish satellites and ground stations
and pay telcos for access to Internet via gateways.
We also had to defend against cyberattacks and jamming,
which are getting harder.
Starlink is only comms system still working at warfront,
all others dead.
Russia is actively trying to kill Starlink.
To safeguard, SpaceX has diverted massive resources towards defense.
Even so, Starlink may still die.
Internet fiber, phone
lines, cell towers, and other space-based comms in war areas have been destroyed.
Starlink is all that's left for now. End quote. And then here at the end of this tweet, Elon Musk
also includes a link to an article in Wired about the February Viasat attack.
So the implication there, if one really wants to read into tweets by the notoriously mercurial
Musk, is that with Starlink being so crucial to Ukrainian fighters, that of course it's
going to be a prime target for jamming and cyber attack takedowns by Russia.
And it should be noted that while the Starlink outages started in late September, by around
October 7th, it seems that connectivity on the war front lines had mostly been restored.
By around October 7th, it seems that connectivity on the war front lines had mostly been restored.
And Starlink itself faced and foiled signal jamming attacks from Russia earlier this year, in fact.
In March, Starlink updated its software in mere hours to mitigate jamming techniques that were being seen on the front lines used against them.
And on March 25th, Musk himself proudly tweeted that, quote,
Starlink, at least so far, has resisted all hacking and jamming attempts. But it's possible that Russia has started to find new ways to affect
Starlink's service that SpaceX can't quite act against yet. Not everyone believes Musk's claim
that Starlink's downtime was due to jamming, or at least that it was solely due to jamming.
Many military experts believe it may have been a combination of a number of factors, including jamming as well as the geofence not being updated.
Since Starlink is so crucial to Ukrainian fighters, and since Starlink really is the
only option for resilient frontline connectivity and communication at this point, despite the
unexplained outage, for now, we may just have to take Musk at his tweeted word.
For the Cyber Wire, I'm Maria Varmasas.
There's a lot more to this conversation. If you want to hear more, head on over to Cyber Wire Pro
and sign up for Interview Selects, where you get back to the show Deepan Desai. He is the Chief Information
Security Officer and VP of Security Research and Operations at Zscaler. Deepan, always great to
welcome you back to the show. I want to talk to you today about some research
that you and your colleagues have published recently.
You were tracking the X-Files Stealer,
some of the things you've been seeing
in terms of evolution of that.
What can you share with us today?
Yeah, thank you, Dave.
So, yeah, ThreatLabs team recently spotted
a new variant of an InfoStealer named X-Files.
And we've been tracking this for almost a couple years now.
There were a few enhanced features and the way it was exfiltrating data,
which prompted the team to dissect further and publish our research on it.
Well, let's go through some of the details together here. What sort of things have been updated?
Yeah, so, I mean, if I were to start with the HistoryX files, this family has been around since
March of 2021. There were a couple of variants that we saw in 2021 itself. In June, which is
a couple of months back, we saw a new version of this dealer where there were a few things
being added. And I'll go through that. One of the stuff that we saw with this malware was the infrastructure that was being used was in Russian region.
The IPs where the phishing domains were hosted were located in Russia.
The C2 panel where the malware will communicate with post-infection were also in Russia.
also in Russia. And then what we've seen is in the recent variant that I'm talking about,
they started exploiting Falina vulnerability. And for those of you that don't know, that's the remote code execution vulnerability that Microsoft recently released workaround guidance as well.
So this was affecting Microsoft support diagnostic tool in Windows
where a remote, unauthenticated attacker could essentially
exploit this vulnerability to take over the impacted system.
X-Files payload was taking advantage of that,
or the threat actors behind it were taking advantage of that to plant this.
advantage of that, or the threat actors behind it were taking advantage of that to plant this.
And then it aims to steal and exfiltrate sensitive information such as browser credentials,
crypto wallets, your FTP application credentials, and then financial stuff like credit cards.
What's going on under the hood here? I mean, do you have any sense for what sort of tools they're using to develop this? Yeah, so this is actually all the variants that we have stumbled across are all
written in C sharp. That's a programming language and with new features being added over time by the
threat actor. With the latest variant, the threat actors have switched to hiding some of the interesting strings.
And this again falls in the anti-analysis, anti-evasion technique where the goal for the threat actor is to increase the shelf life of these payloads.
So base64 format rather than plain text for some of those interesting strings.
Change in the CNC protocol,
where what will be observed over the network layer
when the payload communicates with the command and control server.
So we observed some obfuscation getting added over there too.
That's interesting.
You say you all have been tracking this organization
for a couple of years now.
I guess it's fair to say that we can expect them to be around for a while.
Yeah, with the new updates getting pushed out,
we do expect this to continue.
It's important for the end users.
Again, this is one of those dealers that will show up
as part of the crack software.
The other one was phishing campaigns
being leveraged to deliver this payload as well.
So make sure when you click on those links,
you know you trust the destination.
Do not download software from unsolicited links
that you receive.
Never click on them to begin with.
Yeah.
All right.
Well, Deepan Desai, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Roya Gordon from Nozomi Networks
on UWB real-time locating systems, how secure radio communications may fail in practice.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester,
Brandon Karpf, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Vermatzis, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Catherine
Murphy, Janine Daly, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, Simone Petrella, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.