CyberWire Daily - GRU operators masquerade as Ukrainian telecommunications providers. 2K Games Support compromised to spread malware. Developments in the cyber underworld.
Episode Date: September 22, 2022GRU operators masquerade as Ukrainian telecommunications providers. Another video game maker is compromised to spread malware. Noberus may be a successor to Darkside and BlackMatter ransomware. Robert... M. Lee from Dragos explains Crown Jewel analysis. Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events. Threat actors have their insider threats, too. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/183 Selected reading. Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine (Recorded Future) Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers (SecurityWeek) Shadowy Russian Cell Phone Companies Are Cropping Up in Ukraine (WIRED) CISA Alert AA22-264A – Iranian state actors conduct cyber operations against the government of Albania. (CyberWire) Iranian State Actors Conduct Cyber Operations Against the Government of Albania (CISA) 2K Games says hacked help desk targeted players with malware (BleepingComputer) 2K Games helpdesk hacked to spread malware to players (TechRadar) Rockstar parent company hacked again as 2K Support sends users malware (Dexerto) ‘Grand Theft Auto VI’ leak is Rockstar’s nightmare, YouTubers’ dream (Washington Post) Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics (Symantec) LockBit ransomware builder leaked online by “angry developer” (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
GRU operators masquerade as Ukrainian telecommunications providers.
Another video game maker is compromised to spread malware.
Noberis may be a successor to DarkSide and BlackMatter ransomware.
Robert M. Lee from Dragos explains Crown Jewel analysis.
Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events.
And threat actors have their insider threats, too. Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events.
And threat actors have their insider threats, too.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 22nd, 2022. Recorded Futures Insicht Group reports that the GRU has established new infrastructure for cyber espionage against Ukrainian targets.
The threat actor UAC-0113, which CERT-UA thinks is probably associated with the GRU's sandworm operation,
is using dynamic DNS domains as it masquerades as telecommunications providers.
it masquerades as telecommunications providers.
It uses HTML smuggling to distribute Colibri Loader and the war zone remote access Trojan.
The objectives of the campaign remain unclear,
but Recorded Future thinks it's a Russian combat support effort.
The tools deployed in the attacks aren't bespoke tools
developed in-house by the intelligence services,
but rather are commodity malware publicly available in the criminal-to-criminal market.
Russian telecommunications outfits have indeed established services in territories occupied by the Russian army,
but these are overt operations intended to replace Ukrainian providers with Russian ones.
Wired reports that as Russia's battlefield fortunes
have experienced reversals, the telcos have retreated with the troops. The point of setting
up Russian services to replace Ukrainian ones is at least twofold. It helps normalize the Russian
occupation, acclimating the population to accepting it as an accomplished permanent state of affairs.
the population to accepting it as an accomplished permanent state of affairs.
Equally importantly, it increases the Russian ability to control what Ukrainians say, show,
see, and hear.
CISA has issued a joint warning with the FBI outlining the conduct of the cyber campaign Iran waged earlier this month against Albanian government targets.
The warning includes recommended protections and mitigations should the campaign spill over to targets outside Albania.
A second Take-Two Interactive brand, 2K Games, has sustained a compromise.
Spoofed support communications that misrepresented themselves
as coming from 2K Games' support desk
were found to be spreading the redline stealer.
Family-friendly 2K's edgier corporate sister Rockstar Games had seen an intrusion
that compromised some games under development.
2K's compromise was in some respects more serious
in that it represents a threat to users and not simply a disclosure of
intellectual property. 2K's support tweeted a warning yesterday that explains what is determined
about the incident, saying, earlier today we became aware that an unauthorized third party
illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to
provide support to our customers.
The unauthorized party sent a communication to certain players containing a malicious link.
Please do not open any emails or click on any links that you receive from the 2K Games support account. The communication goes on to recommend a range of best practices any affected users might
follow to minimize the damage. The goal of the
compromise was distribution of an info stealer. TechRadar reports the attackers would first open
up a fake tech support ticket and soon after reply to it. In the reply message, they'd share a file
named 2klauncher.zip, inviting the players to run it on their endpoints. The file turned out to be Redline Stealer, a known info stealer that's capable of grabbing passwords stored in the browser,
stealing banking data, as well as cryptocurrency wallets.
Furthermore, Redline can grab VPN credentials, web browser history, and cookies.
There's no firm attribution of this second attack on a Take-Two brand,
but Bleeping Computer speculates on the basis of victimology and the method of approach
that this attack, too, is the work of the Lapsus group.
Noberis Ransomware looks like it's the successor to DarkSide and BlackMatter Ransomware,
and they seem to have been developed by the same crew.
The Symantec ThreatHunter team this morning released a report detailing the Noberis ransomware,
also known as BlackCat or ALF-V. It's believed that Noberis is a successor to the DarkSide
and BlackMatter ransomware families, developed by a group tracked by Symantec as CoreEid.
CoreEid provides ransomware as a service,
developing the ransomware for affiliates who then give Coride a cut of the profits.
Noberis was first seen in November of 2021, coded in Rust. This is the first observed
professional ransomware strain used in attacks that was coded in the cross-platform language.
Due to its cross-platform coding language,
Koride says that Noberis can be used on multiple different operating systems,
including Windows, Exe, Debian, Redinas, and Synology.
Noberis appeared shortly after Black Matter was retired, and Koride said in the rules that the ransom cannot be used to attack the Commonwealth
of Independent States or neighboring countries, organizations in or related to the healthcare
sector, charitable or non-profit organizations, and they added that affiliates are also advised
to avoid attacking the education and government sectors. It's an interesting set of exclusions.
If we were betting, we'd say the smart
money was on the exclusion of Russia and its sphere of influence being the one that mattered.
The others are the usual empty posturing as Robin Hood's one so often finds in gangland.
Coride also highlighted the features that make the ransomware stand out from the competition,
stating that each advert is provided with an entrance through its own unique Onion domain.
The affiliate program architecturally excludes all possible connections with forums.
Even if a full-fledged command line shell is obtained,
the attacker will not be able to reveal the real IP address of the server
and encrypted negotiation chats that can only be accessed by
the intended victim. Updates to Noberis have been continuous since release, researchers report.
An updated version of the Trojan.xmatter data exfiltration tool was observed being used
alongside Noberis in August 2022. xmatter was designed to steal specific file types and route them to an
attacker's server prior to the deployment of ransomware. Information-stealing malware
InfoStealer.info has also been observed being used alongside Noberis and is designed to steal
credentials from backup software. And finally, even threat actors have their insiders
and, therefore, their insider threats.
The builder for LockBit's new encryptor,
version 3.0, or LockBit Black,
released just this past June in the criminal-to-criminal market,
has been leaked online, Bleeping Computer reports.
Researcher Xs Export tweeted early this morning
that unknown person
at Ali Quesji,
whose account has been temporarily restricted
due to unusual activity,
said his team has hacked
the LockBit servers and
found the possible builder of
LockBit Black ransomware.
LockBit says it was an insider
leak and not an external attack.
After Export's tweet, VX Underground reported that someone using the hacker name ProtonLeaks
contacted them on September 10th. ProtonLeaks at that time showed them a copy of the builder.
It's unclear whether ProtonLeaks and Ali Gushi are one person or two people, or whether perhaps their
name is really Legion, LockBit reached out to VX Underground to deny that they'd been hacked,
that the leak was the work of a disgruntled developer unhappy with LockBit's leadership.
The story is interesting in a number of ways, and especially in the way it reveals the way a
criminal enterprise apes many of the functions
that one finds in a legitimate business. LockBit Black had been tested for two months before its
release, and it sported novel modes of extortion and anti-analysis capabilities. Its release was
also accompanied by a bug bounty program, and the ransomware-as-a-service gang maintains a support representative,
LockBitSup, who serves as the public face of the outfit. It was LockBitSup who contacted VX
Underground to explain that LockBit had experienced an insider breach, not an external hack.
What had upset the leaker or leakers enough to motivate the leak is unclear,
set the leaker or leakers enough to motivate the leak is unclear, but evidently LockBit has some unresolved HR issues. Too much PowerPoint in the break room, we'll bet. We feel for you.
Coming up after the break, Robert M. Lee from Dragos explains crown jewel analysis.
Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
It is National Insider Threat Awareness Month, and the Cyber Wire is proud to be a media partner for the upcoming Insider Risk Summit, September 27th through the 29th.
I spoke with Code 42 Deputy CISO Nathan Hunstad about how security teams think about and approach investigations for insider risk events.
Compared to times in the past, even as recently as a few years ago, the landscape is one of increased
insider risk.
And that's due to a few reasons.
One of them is that a lot of people, due to things like the great resignation and so on,
are changing jobs more frequently.
And we find that when people leave a job to go to another job,
they tend to take data with them because they believe it's going to be valuable to them in
their new role. And obviously, that presents a risk to an organization when you have sensitive
data like that that's walking out the door, possibly even to a competitor. Another reason that the risk landscape is different these days
is because people are working remotely.
They're no longer all in the office,
where you could put a perimeter firewall around your network and call it good.
They're all remote.
They're working from home.
They're working from like a coffee shop.
And because the people are distributed, it's just harder to keep tabs on what they're doing with
data. Finally, data is much more likely to be widely distributed, similar to how people are
distributed. Because companies are working or moving to SaaS tools, like online collaboration tools like Google and Microsoft, Office 365, the data
is also moving outside of the office and the file server that was on-prem.
And again, because the data is distributed, it's just a lot harder to keep tabs on where
that's moving.
So those are some of the reasons that the risk of data and the risk of insiders taking
data is higher than ever before.
You know, we mentioned that it's Insider Threat Awareness Month, and I know you and your colleagues
at Code42 prefer to refer to it as insider risk. There's some nuance there. Can you
explain the difference? So we like to talk about insider risk as opposed to insider threat, because when you just think
about the threat part of it, that assumes that the insider has already moved to a malicious
posture where they're doing something wrong.
And instead, we need to kind of shift left and think about the risk that
all of the users in the organization may present before they kind of take that malicious step,
or even if they do something that isn't necessarily malicious at all. They could be
mishandling data in an attempt to get their job done, and they're not acting maliciously. They're just not
handling the data in the way that they should be per your corporate sanctioned tools and your
policies. So we think that if you just focus on the threat and the people that are already malicious
and doing the bad things, you're missing that broader risk picture. Because most of the time,
people who may have access to data, they never move to the threat phase.
They don't become actively malicious.
How much of this is setting expectations, making sure that people know if you move on to another job, well, it's not really good for you to take your Rolodex with you.
We're not okay with that.
Yeah, absolutely.
good for you to take your Rolodex with you. We're not okay with that.
Yeah, absolutely. And one of the foundations of a good insider risk management program is education and setting those expectations with your users. If people aren't educated as to what the right
way to collaborate with trusted vendors, for example, or what data you're allowed to take
with you when you leave versus the data you're not allowed to take with you when they leave,
then users will substitute their own judgment for that.
And, you know, must be honest, users don't always have the correct judgment when it comes to those questions.
So you have to educate, educate, educate on a constant basis.
And the best way to do that is not only doing it when somebody's onboarded or through your annual or periodic security training, but in response to things that actually represent true risk.
So if they do accidentally share something in a way they shouldn't have, if you can educate them immediately, then that message is going to last. What are your recommendations for organizations
who want to do a better job of this,
for taking inventory on the things that they're doing
and the places where they can improve?
Yeah, so one of the best recommendations I can give
is to not strictly treat this as you would
another kind of like SecOps or Blue Team exercise. Because we think
that dealing with risks like malware and ransomware and some of the things that Blue Teams
and SOX typically handle is not the way to go about it. An insider risk management program
has to have the right kind of expertise and the right people doing those kinds of business-focused
and empathetic investigations
to really understand how the business works,
how people are trying to get their job done,
and making sure that they are using the proper tools
to get their job done and collaborate
versus taking a kind of an adversarial approach
where you're looking for reasons to tell users no.
Yeah, that seems so critical to me. You mentioned empathy, an adversarial approach where you're looking for reasons to tell users no.
Yeah, that seems so critical to me. You mentioned empathy, and I think particularly in a technology realm, that can be a place where people come up short, but it really is important here.
It absolutely is. Because again, going back to the insider risk versus insider threat,
most people don't become the malicious, angry,
disgruntled employee looking to harm the organization. They're simply trying to do
their jobs and they may not have the tools or just be aware of the tools to do it in the way
that the security team wants them to do it. And so if you take that empathetic approach
and you try to understand what the users are trying to accomplish and what
their business objectives are, then you can guide them, again, educating as you go towards the right
way of doing that and kind of shepherd them away from the risky behavior they may have been
involved in before. That's Nathan Hunstad from Code42. The Insider Risk Summit is coming up
September 27th through the 29th. You can find out more on their website, insiderrisksummit2022.com.
And joining me once again is Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to welcome you back to the show. I want to touch today on something that I saw some of your colleagues were actually blogging about over on the Dragos website.
This is this notion of a crown jewel analysis when it comes to your security assets.
What exactly are we getting at here?
At the basic level, it's an understanding
of what's most important to your business
for the functions that you're most concerned with.
As an example, a lot of infrastructure sites
have hundreds, if not thousands, of sites.
A power company, as an example, could have 2,000 or 3,000 substations.
A global manufacturer could have 500 manufacturing facilities.
And then the question, even if you only had five, the question is always going to be,
what's actually most critical?
And at a macro level, the critical sites really should be something that's done in cooperation
with the executives,
look at the disaster recovery plan, business continuity,
consider revenue, regulatory requirements,
health and safety, et cetera.
And there should be this top-to-bottom list
of those infrastructure sites.
Because you may have one global corporate IT network,
but you've got hundreds of little OT networks.
And you're going to want to know,
especially in an incident, what's the most critical.
But once you get from that macro level,
that's really once you get inside the environment,
then you're kind of identifying
what are the crown jewels in that environment.
And it shouldn't just be some arbitrary thing.
The same way that you shouldn't look at security controls
as morally good or morally bad.
It's like, look, does this one actually help us
with the scenario of risk that we care about?
So there should be some definition of what do we care about as a business,
what are two or three or four scenarios we've got to be able to deal with,
like ransomware or electric transmission outage from Ukraine-style attack
that we've seen before, if you're a power company.
What are those scenarios?
And then on those scenarios, what actually is in scope?
If we look at a safety system- focused scenario from the 2017 Saudi Arabian case
where an adversary tried to kill people targeting safety systems,
while the safety system, the NJ workstation, and all the support systems around it are those crown jewels
in that scenario. So going into a refinery and cleaning up the DMZ
and being like, yep, we secured the refinery, is disingenuous at best
in terms of what you're
actually trying to accomplish. But if you do the crown jewel process correctly, it can also
really guide you so that you're not overspending. You're not trying to gold plate all of these
sites, which you just don't have the resources for. It's what are the important sites and what's
most important in those sites. Let's start there. You can always expand after that. But that level
of focus and prioritization
is something most companies struggle with.
Is there a level of diplomacy that goes with this as well?
Because I can imagine as you go around
and poll people at your various locations,
they're all going to say that what we're doing here
is of the utmost importance.
Are you asking me how the DHS
got 17 critical infrastructure sectors?
No.
Go on.
Everything is critical to everybody.
This gambling infrastructure is really critical.
You're 100% correct.
And that's actually exactly the issue.
A lot of our government agencies and similar will set out,
here's what we want to do, but then people cry to them.
But we're also critical, and then it's hard to tell people no.
And they're like, okay, you're critical too,
and you just get into this mess.
So to answer your question more
thoughtfully,
there is, but it's also
kind of a tactic for the security team as well.
I don't want to play games when you're on the security
team, but it is a fundamental
and fair tactic, in my opinion,
of, based on the
various programs that already exist, right?
Your disaster recovery business, whatever.
You rank stack the 500 facilities, whatever you have.
Put it in front of the executive group, not those sites,
and say, hey, is this the right order?
Let them have that debate.
You can foster the conversation,
but it's not a security discussion anymore.
It's just about the sites.
And then you look at the risk scenarios and go,
is this what we think the risk scenarios are?
And you go, okay, well then this is the security
package. The executive committee,
the board, doesn't have the
expertise to govern that.
So once you agree on the scenarios, once you
agree on the list of the sites, then
here's what the security team feels is the
security package per site.
And here's the budget you gave us.
Therefore, we're going to get down the list
this far. And so the
diplomacy that happens is usually
the head of operations or somebody else going,
whoa, whoa, whoa, whoa, you stopped at site 20
out of 300.
What about the next 20?
We don't have the budget for that.
So either we need to decide not
to accept certain risk scenarios
below the 20 and have a less tailored package, or we should actually get more budget to do the things that you're asking us to do.
So I normally see CSOs and CIOs and others argue about how budgeting is hard and they don't have the budget.
But actually, most executive groups don't understand what you're trying to accomplish now that you historically haven't been doing.
And so they think, well, why would I need to increase it
more than 5% or 10% annually?
We're doing the same work.
Yeah, but you never digitally connected up
or digitized your plans before, and now you are.
Now we've got to do all that OC security work.
It needs a net new budget, not a 5% or 10% increase.
And that process and that structure and that prioritization
and that diplomacy, as you would call it,
all of that is what's working really effectively
for a lot of companies around the world.
It sounds like it's also in your best interest
as you go into this sort of process
to give everybody a heads up
that there's likely to be a few aha moments here.
Oh, absolutely.
And that's where, when I get in front of customers,
I always tell them, don't just roll out everything everywhere.
Don't do a peanut butter spread,
because my most critical site should not be fully protected
at the same time as my last critical site.
Instead, let's start with the top 25 to 30% of your organization.
Those are going to be crown jewels, regardless.
Those sites, guaranteed, your top 25 to 30% of your sites
are pretty critical to the company.
Let's look at those sites, design up the security package
that makes sense.
It's probably not all the stuff you're doing in IT.
You've covered mentions before where I've talked about
the five critical controls for ICO security.
There's probably five you want to start with.
But go put those five and the vendors and things you choose
for it together at, let's say, six or some reasonable amount of that 25% or 30%, depending on how many sites you actually have.
But let's say six to 10 to 15 sites, if you have that many.
Go roll it out in completion there.
Learn to operationalize it, not just get through the deployment like it's a Gantt chart.
Actually get going.
What you'll do is you'll end up finding a lot
of aha moments, not only on use cases
that are valuable to justify for the other sites,
but maybe this product doesn't work
with this product as well as you thought it was,
or this doesn't do the thing it was supposed to do.
Learn those things before you try
to have this giant rollout.
If you get it right at your critical
sites and you design out
what right looks like and show success, that's going to be your best argument as well to continue
to go. All right. Well, good insights. Robert M. Lee, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.