CyberWire Daily - Hackers support Iranian dissidents. Notes on C2C markets. Cyberespionage campaigns. Intercepted mobile calls from Russian troops expose morale problems.
Episode Date: September 29, 2022Gray-hat support for Iranian dissidents. Selling access wholesale in the C2C market. Novel malware’s discovered targeting VMware hypervisors. The Witchetty espionage group uses an updated toolkit. D...eepen Desai from Zscaler has a Technical Analysis of Industrial Spy Ransomware. Ann Johnson of Afternoon Cyber Tea speaks with Michal Braverman-Blumenstyk, CTO for Microsoft Security, about Israel's cyber innovation. And Russian troops phone call revelations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/188 Selected reading. Hacker Groups take to Telegram, Signal and Darkweb to assist Protestors in Iran (Check Point Software) Hackers Use Telegram and Signal to Assist Protestors in Iran (Infosecurity Magazine) Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks (The Hacker News) Hackers seek to help — and profit from — Iran protests (The Record by Recorded Future) Ransomware and Wholesale Access Markets: A $10 investment can lead to millions in profit (Cybersixgill) Selling access wholesale in the C2C market. (CyberWire) Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors (Mandiant) Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors (Mandiant) Mandiant has identified new malware that targets VMware ESXi, Linux vCenter servers, and Windows virtual machines. (CyberWire) Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors (Securonix) Steep#Maverick cyberespionage campaign. (CyberWire) Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East (Symantec) Witchetty espionage group uses updated toolkit. (CyberWire) ‘Putin Is a Fool’: Intercepted Calls Reveal Russian Army in Disarray (New York Times) Cyber Warfare Rife in Ukraine, But Impact Stays in Shadows (SecurityWeek) Russian hackers' lack of success against Ukraine shows that strong cyber defences work, says cybersecurity chief (ZDNET) Failure of Russia’s cyber attacks on Ukraine is most important lesson for NCSC (ComputerWeekly) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Gray hat support for Iranian dissidents,
selling access wholesale in the C2C market.
Novel malware has been discovered targeting VMware hypervisors.
The Wichiti Espionage Group uses an updated toolkit.
Deepen Desai from Zscaler has a technical analysis of industrial spy ransomware.
Anne Johnson of Afternoon Cyber Tea speaks with Mikhail Braverman-Blumenstik, CTO for Microsoft Security, about Israel's cyber innovation and Russian troops' phone call revelations.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, September 29th, 2022. Hacktivists and others are seeking to render aid to Iranian dissidents and protesters,
researchers from Checkpoint report.
Much of the activity is directed at facilitating communication and coordination among groups opposed to the regime in Tehran,
but there's also some direct hacking of government-related sites and data
with signs of some profit-taking on the side.
Checkpoint says,
Cyber6Gill has published a report looking at network access for sale on underground markets.
published a report looking at network access for sale on underground markets. The researchers say there are two broad categories of access as a service for sale on the underground.
Initial access brokers, which auction access to companies for hundreds to thousands of dollars,
and wholesale access markets, which sell access to compromised endpoints for around $10.
which sell access to compromised endpoints for around $10.
Wholesale access markets are flea markets.
The prices are low, the inventory is enormous, and the quality is not guaranteed,
as listings could belong to a random individual user or an enterprise endpoint. The researchers found that wholesale access markets have played a large role in providing initial access for ransomware
attackers. About a fifth of ransomware attacks are facilitated by initial access markets.
Mandiant has identified new malware that targets VMware, ESXi, Linux vCenter servers,
and Windows virtual machines. They're able to maintain persistent administrative access to the hypervisor
with all the capabilities that suggests.
Mandiant has attributed this malware to UNC-3886,
suspecting that the motivation is cyber espionage
with a possible connection to China.
VMware has used the information Mandiant developed
to prepare guidance for its users.
Researchers at Securonix Threat Labs have issued a report on a cyber espionage campaign they're calling Steep Maverick.
They call it a covert attack campaign, and they conclude that its targets have been multiple military and weapons contractor companies,
including likely a strategic supplier to the F-35
Lightning II fighter aircraft. The PowerShell stager the threat actor used isn't particularly
novel, but the procedures involved feature an array of interesting tactics, persistence methodology,
counter-forensics, and layers upon layers of obfuscation to hide its code.
Securonics describes the phishing email as being similar to one it had encountered in a campaign earlier this year
involving North Korea's APT-37 threat group.
As has become commonplace with cyber espionage campaigns,
Steep Maverick begins with a phishing email, the hook buried in an attached
.inc file with an anodyne fishbait name like Company and Benefits. Once installed, the malware
is unusually persistent. There's no attribution, but one circumstantial detail is suggestive.
If the system's language is set to Chinese or Russian, then the code will simply exit and the computer will shut down.
The Symantec Threat Hunter team released a blog today detailing the Wichiti Espionage Group,
also known as Looking Frog, and their updated toolset.
Wichiti has been seen to be targeting the governments of two Middle Eastern countries,
as well as the
stock exchange for a nation in Africa. Wichiti has been using the LookBack backdoor, but it appears
new malware has been added to the group's toolkit. A backdoor trojan known as backdoor.stegmap has
been seen in use using steganography, a technique in which malicious code is hidden in an image.
The payload can create and remove directories, copy files, move files, and delete files,
start a new process, download and run an executable and terminate this process,
steal local files, enumerate and kill processes, and read, create, and delete registry keys,
as well as setting a registry key value.
Symantec doesn't offer an attribution, but it does quote ESET's association of Wichita with TA410,
a group other researchers have associated with China's Ministry of State Security.
One general lesson military services have drawn from Russia's war against Ukraine
is that the ubiquity of mobile devices and their easy access to the Internet
have combined to create a new world for OPSEC, for operational security.
That is, no one has so far figured out how to keep matters secure
when individuals now have communication capabilities
that 50 years ago would have been the envy of a national
command authority. Local citizens with cell phones taking pictures of deploying Russian units in both
Russia and Belarus gave journalists, enthusiasts, and lay observers a tolerably complete picture of
the Russian order of battle on the eve of the invasion of Ukraine. Now they're affording insight into the
state of morale in the Russian forces, and it's not a pretty picture. Ukrainian intelligence and
law enforcement agencies intercepted and recorded many of the calls Russian troops made from the
zone of attack beginning in the early days of the invasion, and the New York Times has published an
extensive selection of them. The soldiers
complain of their leaders' failure to even tell them they were being deployed to combat,
of tactical ineptitude, supply failure, and, often with horror, of the widespread atrocities
committed by their forces. A representative call early in the invasion recounted the futility of
Russian attempts to take Kiev in a decapitation
operation, the caller stating, we can't take Kiev, we just take villages and that's it.
Other calls reflected the shifting fortunes of the battlefield as the war turned against Russia.
Tanks and armored carriers were burning, they blew up a bridge and a dam, the roads flooded,
and armored carriers were burning.
They blew up a bridge and a dam.
The roads flooded.
Now we can't move.
Casualties are said to be high.
From my regiment alone,
one-third of the regiment,
one soldier told a family member.
A common view of the war is that it was founded on lies.
As one soldier said to his mother,
Mom, we haven't seen a single fascist here.
The war is based on a false pretense.
No one needed it.
We got here and people were living normal lives.
Very well, like in Russia.
And now they have to live in basements.
The old lady who lived near us had to live in the cellar.
Can you imagine?
There's a great deal more like this.
President Putin himself comes in for a great deal of adverse comment.
President Putin himself comes in for a great deal of adverse comment.
Given the increasingly hands-on role he's played as he's progressively lost confidence in his combat commanders and the military and intelligence establishments generally, that frontline odium seems fair enough.
The authenticity of the intercepts seems beyond question.
The Times wrote,
The authenticity of the intercepts seems beyond question.
The Times wrote,
All soldiers gripe in every army, at all times and in all places,
but what's being heard in the intercepted phone calls goes well beyond the soldierly norms of grousing, discontent,
and the customary sense of being underappreciated and ill-used.
Russia's army has a serious morale problem.
That problem is rooted in loss of confidence in the chain of command
and a recognition that the army's training and logistics have been utterly inadequate to its mission.
And finally, Ukraine has warned that Russia is preparing a fresh wave of attacks.
While Russian cyber operations have underperformed in the war,
in part because defenses have proved more effective than expected,
the U.S. Cybersecurity and Infrastructure Security Agency, CISA, has tweeted a reminder that relaxation of vigilance would at this point be premature.
So, shields up.
Coming up after the break,
Deepen Desai from Zscaler has a technical analysis of industrial spy ransomware.
Anne Johnson of the Afternoon Cyber Tea podcast
speaks with Mikhail Braverman-Blumenstik,
CTO for Microsoft Security,
about Israel's cyber innovation.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Anne Johnson is host of the Afternoon Cyber Tea podcast.
In a recent episode, she spoke with Mikhail Braverman-Blumenstik,
Chief Technology Officer for Microsoft Security, about Israel's
cyber innovation. Israel has been a long center for cyber innovation, and some of those cutting-edge
technology companies come from Israel. So tell us why that's the case. What makes Israel so special?
So first of all, you are absolutely right. There is a lot of innovation in cybersecurity and in high tech in general that comes from Israel.
As a matter of fact, you know, Israel is not a big country.
It's only less than 9 million people, which is about 0.1% of the world population.
of the world population. But if we look at the investment in cyber, the investment in cyber are in Israel are 38% of all global investments in cyber, which I find amazing.
As we think about then, you know, the wonderful work that you're leading in ILDC and the work
that you're doing as the CTO for the cybersecurity
business at Microsoft. Let's talk a little bit about ecosystem because I know you spend a lot
of time talking to customers, partners, founders, startups, venture capitalists, etc. What are you
hearing from them now? What do you think some of the trends are and what is keeping our security
leaders up at night? It's interesting that when I look at the ecosystem and our customers and partners,
I find that they become more and more educated on cyber threats and on cybersecurity in general.
And the more they become educated, the more worried they are, the more sleep they lose at night.
And I understand that.
And let's focus on some of the trends that batter the ecosystem.
So first of all, attacks are becoming more sophisticated.
They're becoming more sophisticated not only because the attackers are technology savvy
and they have the most amazing technology. As a matter of fact, it's almost a
mirror picture of the technologies that we are using in the good part of the industry. But they're
also leveraging sophisticated business models, and they create their own ecosystem. So it's really
a whole, very sophisticated industry. Part of that role, I know, is looking
into the future and determine what technology and engineering investments Microsoft needs to make,
how to empower our customers, how to keep our customers successful. So what has you excited?
What technology are you thinking about right now? So first of all, cybersecurity is very exciting.
The reason it's so exciting, it's like playing chess.
You have an opponent.
When you just develop software, you don't have an opponent.
You just have to develop good software.
However, when you develop and design cybersecurity products, you always have to be one step ahead of your opponent.
You always have to be one step ahead of your opponent.
You can hear more of this interview and indeed the entire library of afternoon Cyber Tea podcasts right here on the Cyber Wire podcast network.
And I'm pleased to be joined once again by Deepan Desai. He is the Chief Information Security Officer and VP of Security Research and Operations at Zscaler.
Deepan, always great to welcome you back to the show.
I want to touch base with you today about some research that you and your colleagues have posted. You all had an eye on the industrial spy ransomware. What's going on here?
Thanks, Dave. So industrial spy is a relatively new ransomware group that emerged in April 2022.
In some instances, when the team was tracking this group, it appeared that they were only exfiltrating and ransoming based on the data.
While in some of the other cases, they were actually going through the file encryption, exfiltration, and then demanding ransom. If you look at the history of this group, the industrial spy started as a data extortion marketplace
where criminals could buy large companies' internal data.
They actually promoted this marketplace using a readme.txt file
that were downloaded using malware downloaders disguised as cracks, adware.
And after these initial promotional campaigns,
what we're now starting to see is
the threat group has introduced their own ransomware
to create these double extortion attacks.
That's interesting.
What are some of the key things
that drew your attention to this group?
Any particular ways they stand out?
Yeah, so I think the change in the tactic I already outlined,
where they started with only focusing on data
to going full-blown ransomware double extortion attacks.
We also noticed that before they released their own version of ransomware,
they briefly tried Cuba ransomware family and probably ended up deciding
having to quote their own payload in May of 2022. The Thread group does exfiltrate and sells data
on their dark web, right, as I mentioned. So they already have the infrastructure for the selling of data and monetizing that piece.
Ransomware utilizes a combination of triple DES and RSA to encrypt the files on the victim machine.
We did notice that industrial SPI lacks many common features which are present in modern ransomware families.
And that's where, again, I'll club this into in-development malware family.
Many of the commonly seen anti-analysis and obfuscation techniques are missing.
So it was relatively easy for our analysts to reverse and dissect the payload that was observed.
What sort of velocity does it seem as though they're running here?
Are they a particularly active group?
Yeah, so in terms of payloads, we're not seeing that many new payloads.
There are very few payloads we've seen so far.
We're tracking all the public sources as well, like things like VirusTotal
as well as things that we're seeing in the cloud.
The number of new unique payloads are fairly low, but we're still noticing the group is consistently adding two to three new victims every month on their data leak portal.
So they are enjoying success in terms of successfully infiltrating some of these organizations.
success in terms of successfully infiltrating some of these organizations.
It's interesting to me that they decided to roll their own ransomware here, and particularly when you think about how many ransomware as a service offerings are out there to take
the effort to do this.
Does that strike you as interesting as well?
Yeah, it is interesting. But then again, in this case, because this group appears to know the in and out of the operations already,
they're trying to control their own destiny by holding the source of the ransom
and adding updates and features that match their operation style.
So we do expect this threat group will continue to stay active,
at least in the near future,
with more updates and features getting added in the payloads.
All right, interesting stuff.
Well, Deepan Desai, thanks so much for joining us. a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin,
Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.