CyberWire Daily - GREF and Earth Estries from China. GRU’s Sandworm surfaces again, wielding “Infamous Chisel.” Hacktivist nuisances in the hybrid war. A zero-day is discovered. And the Wolverines are back online.
Episode Date: August 31, 2023China deploys tools used against Uyghurs in broader espionage. The Five Eyes call out a GRU cyberespionage campaign. Russian hacktivist auxiliaries hit Czech banks and the platform formerly known as T...witter. A Spring-Kafka zero-day is discovered. Deepen Desai from Zscaler explains RedEnergy Stealer-as-a-Ransomware attacks. Luke Nelson of UHY Consulting on ransomware’s impact on schools. And, hey, go Wolverines: the University of Michigan overcomes a cyberattack that delayed the academic year. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/167 Selected reading. BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps (We Live Security) Earth Estries Targets Government, Tech for Cyberespionage (Trend Micro) Infamous Chisel Malware Analysis Report (Cybersecurity and Infrastructure Security Agency CISA) UK and allies support Ukraine calling out Russia's GRU for new malware campaign (NCSC) Hackers Attack Czech Banks, Demanding End of Support For Ukraine (Brno Daily) More Russian attacks on Czech banks: Hackers call for end of support to Ukraine (Expats.cz) Anonymous Sudan hacks X to put pressure on Elon Musk over Starlink (BBC News) Contrast Assess uncovers Spring-Kafka deserialization zero day (Contrast Security) U. Michigan restores campus internet after cyberattack disrupts first week of classes (EdScoop) Internet restored on University of Michigan campus, ongoing issues still expected (mlive) University of Michigan isn't disclosing details of internet outage cyberattack (Detroit Free Press) Expert weighs in on school cyberattacks as University of Michigan makes progress on internet outages (CBS News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
China deploys tools used against Uyghurs in broader espionage.
The Five Eyes call out a GRU cyber espionage campaign.
Russian hacktivists' auxiliaries hit Czech banks and the platform formerly known as Twitter.
A spring Kafka Zero Day is discovered.
Deepen Desai from Zscaler explains red energy Steeler as ransomware attacks.
Luke Nelson of UHY Consulting on ransomware's impact on schools.
And go Wolverines!
The University of Michigan overcomes a cyber attack that delayed the academic year.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, August 31st, 2023. We begin today with developing stories on cyber espionage.
Cyber security firm ESET is reporting that the China-linked threat actor they track as Gref
is distributing the bad, bizarre Android malware via Trojanized versions of Telegram and Signal
in the Google Play Store and the Samsung Galaxy Store.
Both stores have since removed the malicious apps.
ESET notes that Bad Bazaar has been used in the past to target Uyghurs and other Turkic ethnic minorities.
In this case, the malicious telegram app called Flygram
was shared in a Uyghur telegram group.
The researchers add that the malicious signal app
called Signal Plus Messenger
represents the first documented case
of spying on a victim's signal communications
by secretly auto-linking the compromised device
to the attacker's signal device.
Here's a second story that may or may not be traceable to Chinese intelligence services.
Researchers at security firm Trend Micro describe a cyber espionage campaign
by a cyber criminal group the researchers call Earth Estries.
The threat actor is targeting organizations in the government and technology
industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S.
Trend Micro states, we believe the threat actors behind Earth Estries are working with high-level
resources and functioning with sophisticated skills and experience in cyber espionage and
illicit activities.
The researchers refrain from making any attributions, but they note that there are some overlaps between Earth Estries and the China-linked Famous Sparrow APT.
We note that they did describe Earth Estries as having high-level resources and some cyber espionage sophistication,
so the hints are still circumstantial, but as the old saying has it,
if it walks like a duck and sounds like a duck, it's probably a duck.
Early this morning, the Five Eyes, the intelligence services of Australia, Canada, New Zealand,
the United Kingdom, and the United States, issued a joint advisory providing further
details on the malware Infamous Chisel, used in a GRU cyber espionage campaign first described
early this month by Ukraine's SBU. Infamous Chisel targets Android devices on behalf of Sandworm,
the threat group associated with GRU's Main Center for Special Technologies,
the U.S. Cybersecurity and Infrastructure Security Agency explains that it performs periodic scanning of files and network information for exfiltration,
including system and application configuration files.
It provides network backdoor access via a Tor hidden service and SSH,
backdoor access via a Tor hidden service and SSH, as well as other capabilities that include network monitoring, traffic collection, SSH access, network scanning, and SCP file transfer.
Infamous Chisel isn't sophisticated or well-crafted malware. The Five Eyes assess
the malware's components as representing low to medium sophistication. They appear to have been
developed with little regard to defense evasion or concealment of malicious activity. Its targets
seem to have been mainly Ukrainian military devices. The UK's National Cyber Security Center
framed the report as an instance of support for Ukraine. Paul Chichester, NCSC Director of Operations, said,
The exposure of this malicious campaign against Ukrainian military targets
illustrates how Russia's illegal war in Ukraine continues to play out in cyberspace.
Our new report shares expert analysis of how this new malware operates
and is the latest example of our work with allies in support of Ukraine's
staunch defense. The UK is committed to calling out Russian cyber aggression and we will continue
to do so. In addition to GRU cyber espionage, Russian cyber activity continues in the form of
implausibly deniable hacktivist cutouts, tools and fronts for Moscow's intelligence services.
No name 05716, the Russian hacktivist auxiliary, moved from operations against Poland to hit a
similar target set in the Czech Republic. The BRNO Daily today reported distributed denial
of service attacks against a number of Czech banks as well as the Prague Stock Exchange.
These were nuisance-level attacks representing no threat to the organization's or their customers'
data. No name says the attacks are intended to punish the victims' support for Ukraine
and to induce them to reconsider such report. Full service was restored at most sites within hours of the attack.
Anonymous Sudan, which is probably neither Sudanese nor anonymous, but rather a hacktivist
auxiliary answering to Russian intelligence services, yesterday disrupted the social media
platform X in about a dozen countries, the BBC reports. The nominal goal of the action was to get Mr. Elon Musk
to open up Starlink service to Sudan.
The hacktivists, stung by widespread suspicion
that they're really a bunch of Russians,
offered the BBC such evidence as images of passports
to attest to their bona fides as for real Sudanese.
Judge for yourselves.
It's worth noting that the Russian cyber operations deployed in the current hybrid war against Ukraine, apart from some wiper attacks
executed in the opening hours of the shooting war a year and a half ago, have largely been confined
to conventional cyber espionage and nuisance-level hacktivism. The much-feared crippling bolt from the blue
has yet to arrive. Turning to a newly discovered vulnerability, researchers at security firm
Contrast Security have discovered a deserialization vulnerability affecting Spring Kafka,
a project used for development of Kafka-based messaging services.
Contrast explains, insecure deserialization occurs when a vulnerability allows untrusted or unknown data to be passed, enabling a denial-of-service attack, code execution,
authentication bypass, or other types of abuse to an application's logic.
The researchers were able to develop a proof of concept that could
conduct remote code execution or denial of service attacks. VMware has issued a patch for the
vulnerability. And finally, the University of Michigan has restored internet to its Ann Arbor,
Dearborn, and Flint campuses after sustaining a cybersecurity incident over the weekend,
and Flint campuses after sustaining a cybersecurity incident over the weekend, EdScoop reports.
The company had severed its networks from the Internet due to a significant security concern.
University President Santa J. Ono stated yesterday, We expect some issues with select UM systems and services in the short term,
and not all of our remediation efforts are complete.
However, they will be resolved over the next several days. The university is working with federal law enforcement to investigate the incident.
It seems the university took quick and decisive action to respond to the attack,
which itself argues that they had prepared and exercised that response.
That's the consensus of the experts we heard from,
which we'll summarize by saying,
go Wolverines.
Coming up after the break,
Deepen Desai from Zscaler explains
red energy Steeler as a ransomware attacks.
Luke Nelson from UHY Consulting on ransomware's impact on schools.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Luke Nelson is Managing Director at UHY Consulting.
I recently spoke with him about the state of ransomware,
its impact on schools,
and how the Biden
administration's plans will affect cybersecurity. Well, certainly as we saw schools move more
remotely with the pandemic a few years ago, there was an opportunity for bad actors to
manipulate and take advantage of that situation. So we've certainly seen cyber attacks
directionally increase for school systems,
local state governments in general,
as they've gone to more of a remote workplace.
And so as we think about what the government's response
is to those activities,
there's certainly an education component to it.
And there's certainly how do we increase the mitigants
that will disallow those bad actors to have access to, you know,
student information, you know, students being able to be productive
in the school place as well.
So how has the Biden administration addressed this? What sort of plans are they signaling here?
Yeah, it's interesting. I think about it in terms of it's been a progression. So if you look back
into 2020, I believe was when they first came out with the Cybersecurity Improvement Act
that really talked about the IoT, the Internet of Things, and the government being able to
meet the minimum security requirements that needed to take place.
The reason that was initially pushed out was because at that particular point in time,
I think there was something around mid-90% in terms of unencrypted data that was moving back and forth
between the federal government agencies. And they said, we needed to change that.
As we fast forward a little bit, there was a cyber grant program that was approved through
the State and Local Cybersecurity Act in 2022 that actually allowed funding for those state and local entities to
take federal money and increase their security posture. Where that initially started was,
you need to do a risk assessment using the NIST security framework and determine what your plan would be. In year one, I believe there was about $180 million that was distributed into those local
and state entities.
Last year, this year, I guess, it was almost double, almost $375 million, if I'm recalling
correctly, that got pushed out to use.
Simultaneously, as that $375 million was being approved, the Biden administration and the
Department of Education came out and said, we want to make sure that the Department of Education is
pushing out some standards as well to specifically K-12 schools.
So my assumption is that part of that money that has already been tagged for that local and state government funding grant program will actually make its way into the K-12. I would also anticipate through directly the Department of Education for not
only vendors to be able to be selected for the education, for the hardening of devices and the
like, but also for the Department of Education to take a look at how students are learning in this
new kind of remote world and whether or not that they feel as if
there needs to be some adjustments to the overall infrastructure.
Yeah, it really seems like a huge problem to tackle, not the least of which is, you know,
that schools are run by the states. And so there's so many different ways of organizing the districts
and the different sizes and different ways of
funding them. It's going to be a challenge for the feds to come in here. I mean, I suppose on the one
hand, every school system welcomes additional funding from the feds to help them tackle this
problem. Yeah, that's exactly right. The intention of the Local and State Investment Act is really to take federal monies and distribute it to those local and state agencies to determine how they want to use it.
We have seen some of that be used specifically for schools, but obviously it's intended to be a broader reach other than just schools.
it's intended to be a broader reach other than just schools. However, with the recent acknowledgement from the Biden administration on specifically the Department of Education
and how they want to be moving through the process, they'll either use those federal funds
to do something similar specifically for K-12, or there will be additional funds allocated
based upon the findings that they're seeing
as part of this initial rollout.
It strikes me that cybersecurity in particular
is something that has broad bipartisan support,
which is a bit of a unicorn in today's political environment.
Do you feel as though the Biden administration
is doing a good job of taking advantage
of that sentiment these days?
Yeah, I think, you know, it's ever-evolving, right?
I mean, unfortunately, the cybersecurity space
is evolving in real time, right?
You know, from a day-to-day perspective,
that industry, and I'll call it an industry,
is well-funded, whether that's nation-state actors or private institutions who are going
after assets, right? I mean, they want to see a return on what they're seizing. I'll call it that,
right? So in terms of like a ransomware type of an event, right? If you can lock down a school for a number of days or get access to student information, can I make $50,000
and not get prosecuted for it? We're seeing a lot of that take place basically because the price
point for entry is so what? A couple thousand dollars, right, you can spin off an environment that you could go and act in a fair capacity for these school districts, right?
And that's going to continue to evolve. outstanding processes in the human component as to whether or not we need to educate more
versus hard-in-technology systems, which I do think is part of the answer.
So I do think they're taking advantage of what the current sentiment is. But also at the same
time, it's a reality of as we move more and more into a digital world, we obviously move more
quickly due to COVID and the pandemic into the space,
but we're going to continue to move more digitally or continue to for school systems.
And now's the time to take a look at and say, how do we want to design this differently in the future?
That's Luke Nelson from UHY Consulting.
And joining me once again is Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, it's always my pleasure to welcome you back to the show.
I want to talk today about some research that you all recently put out.
This is ransomware redefined, red energy stealer as a ransomware attacks.
Help me understand what you all are uncovering here.
Yeah, thank you, Dave. Red Energy Stealer,
and this actually is a campaign that we spoke about at a security conference, BotConf, early this year.
The team in this case actually discovered a new family,
honestly a new threat category,
which we have dubbed Stealer as a ransomware.
So the family involved here, Red Energy, uses a fake update campaign,
and it's responsible for targeting multiple industry verticals.
The goal over here is to steal information from various web browser and exfiltrating sensitive data.
And then it also has these additional modules incorporated inside.
And one of them, as I mentioned earlier, is ransomware.
So this is where they're encrypting the files,
and that's where we're seeing this interesting merge of activities
of a stealer as well as ransomware.
So in terms of them activating the different tiers of capabilities, activities of a stealer as well as ransomware.
So in terms of them activating the different tiers of capabilities here,
is this a case where are they stealing the information first and then if they don't get what they want,
do they threaten the ransomware component or how are they coming at things?
Yeah, so in the campaign that we observed,
we didn't see the ransomware functionality invoked.
But as we analyzed the payload that was planted on the endpoint,
the focus main was, yes, there was active stealing of information
once the attack is successful.
But when we analyzed the payload
and we looked at all the different capabilities,
the malware actually includes a ransomware module
that encrypts the user data and the extension
they used was an interesting one as well.
I won't spell it.
Basically, the goal over there is to render
the system unusable.
And if the payload has been installed
on multiple systems, then it's going to cause
business disruption as well. We did not see any kind of lateral propagation module in this, but
that's still possible as a second stage payload that they can download, that they can always
download on one of the systems that's infected and then move laterally from that point onward.
I see in the research here that they're also going after your backups.
Yes. Deleting backup is an important functionality,
especially when you encrypt data
and the user is able to easily revert back
to the previous backup.
If you want the ransomware functionality
to be effective,
this is something that they will always incorporate.
Now that's where doing those offline backups,
air gap backups,
where your backup information is secure
even after these type of activities done on your endpoint
is extremely important.
And what have you seen in terms of who these folks seem to be targeting?
So they were targeting multiple industry verticals,
but we specifically saw them targeting manufacturing industries.
And there were multiple companies that we saw,
all of which had notable LinkedIn and internet presence as well.
So I would say in this manufacturing industry is their primary target over here.
And how does someone find themselves infected with this?
You mentioned this is a fake update campaign.
Yeah, it's the old, you know, hey, your plugin needs to be updated, your browser needs to be updated,
and this is where the infection chain starts.
When someone falls for this,
the initial payload gets installed.
It will then attempt to escalate privilege.
It will also download further payloads
and the CNC activity begins from that point onward.
I see.
All right.
Well, Deepan Desai is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, thank you so much for joining us.
It's my pleasure, Dave. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking. Here's an RBC student offer that turns a feel-good moment into a feel-great moment. Students, get $100 when you open a no-monthly-fee
RBC Advantage Banking account, and we'll give another $100 to a charity of your choice.
This great perk and more only at RBC.
Visit rbc.com slash get 100
give 100. Conditions apply. Ends January
31st, 2025. Complete offer
eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. Thank you. as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. Thanks for listening.
We'll see you back here tomorrow. Thank you. receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.