CyberWire Daily - Iranian threat actor exploits N-day vulnerabilities. Subdomain hijacking vulnerabilities. The Discord Papers. An update on Russia’s NTC Vulkan. And weather reports, not a Periodic Table.
Episode Date: April 18, 2023An Iranian threat actor exploits N-day vulnerabilities. CSC exposes subdomain hijacking vulnerabilities. More on the Discord Papers. An update on Russia’s NTC Vulkan. Joe Carrigan on the aftermath o...f a $98M online investment fraud. Our guest is Blake Sobczak from Synack , host of the podcast WE'RE IN! And threat actor nomenclature: a scorecard, and a Periodic Table no more. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/74 Selected reading. Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets (Microsoft Security) An Iranian hacking group went on the offensive against U.S. targets, Microsoft says (Washington Post) New CSC Research Finds One in Five DNS Records are Susceptible to Subdomain Hijacking Due to Insufficient Cyber Hygiene | CSC (CSC) DOD Assessing Document Disclosures and Implementing Mitigation Measures (U.S. Department of Defense) After leak, Pentagon purges some users' access to classified programs, launches security review (Breaking Defense) Why Did a 21-Year-Old Guardsman Have Access to State Secrets? (Vice) U.S. officials have examined whether alleged doc leaker had foreign links (POLITICO) The Air Force Loves War Gamers Like Alleged Leaker Teixeira (Military.com) FBI Investigating Ex-Navy Noncommissioned Officer Linked to Pro-Russia Social-Media Account (Wall Street Journal) Pentagon leak suggests Russia honing disinformation drive – report (the Guardian) Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure (Dragos) Microsoft shifts to a new threat actor naming taxonomy (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An Iranian threat actor exploits NDA vulnerabilities.
CSC exposes subdomain hijacking vulnerabilities.
More on the Discord papers.
An update on Russia's NTC Vulcan.
Joe Kerrigan on the aftermath of a $98 million online investment fraud.
Our guest is Blake Subcheck from CINAC, host of the podcast We're In.
And threat actor nomenclature, a
scorecard and a periodic table.
No more.
From the
CyberWire studios at DataTribe,
I'm Dave Bittner with your
CyberWire summary for Tuesday, April 18th,
2023. Microsoft this morning reported that the group it's tracked as Phosphorus,
morning reported that the group it's tracked as Phosphorus, and will henceforth refer to as Mint Sandstorm, has developed a specialty in weaponizing end-day vulnerabilities, that is,
vulnerabilities for which a fix or mitigation is available, but which some organizations have
failed to patch. It's also been known mostly for reconnaissance and cyber espionage, but that
may be changing. As there are signs, the group is turning its attention to critical infrastructure.
Microsoft writes, Mint Sandstorm is known to pursue targets in both the private and public
sectors, including political dissidents, activist leaders, the defense industrial base, journalists, and employees
from multiple government agencies, including individuals protesting oppressive regimes in
the Middle East. Activity Microsoft tracks as part of the larger Mint Sandstorm group
overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453.
Over the past two years, the group has been observed carrying out attacks against infrastructure,
and Microsoft states,
given the hardline consensus among policymakers in Tehran
and sanctions previously levied on Iran's security organizations,
Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity.
And of course, we note in full disclosure that Microsoft is a CyberWire partner.
CSC released its Subdomain Hijacking Vulnerabilities Report,
in which it shows that over 21% of the 400,000 DNS records it queried
were likely vulnerable to subdomain hijacking.
Subdomain hijacking occurs when threat actors take over a subdomain
and use it to host their malicious content,
which could lead to further threats like phishing or hosted malware.
The report also showed that 63% of the queried DNS records
showed a 404 not found or 502 bad gateway error.
CSC explains, DNS records housekeeping is historically one of the most frequently neglected tasks due to a long history of different owners, policies, and vendors.
owners, policies, and vendors. The U.S. Department of Defense has decided that the Discord paper's leaks are unlikely to affect relations with allies. The department is also working to make
future leaks of this kind less likely and less troublesome. The Secretary of Defense has directed
a comprehensive review of DoD security programs, policies, and procedures, with a report due in 45 days.
This study is in addition to ongoing daily attention to investigating and mitigating
the Discord leaks. Two big questions have arisen in the Discord paper's case. The first involves
opportunity. How did the alleged leaker have so much access to highly classified
information? Vice argues that expanded access as a result of the U.S. assessment, that excessive
compartmentalization and poor information sharing led to the intelligence failures that enabled the
9-11 terrorist attacks. Increasing information sharing was neither pointless nor necessarily ill-advised,
but in this case, at least supervision and proper control appear to have been lacking.
Inside Defense reports that the Pentagon is tightening up access to classified information.
The second question involves motive. Why did the alleged leaker do what he allegedly did?
involves motive. Why did the alleged leaker do what he allegedly did? Politico reports that investigators are looking, so far in vain, for some foreign connection that would make the incident a
familiar, if regrettable, instance of espionage. But it seems increasingly likely that the leaker
was motivated by social media cachet, not by cash, or conviction or compromise.
It's all apparently just the frenzy of online renown.
The FBI has the blogger and podcast host Sarah Bills under investigation,
the Wall Street Journal reports.
Ms. Bills appears to have been involved in spreading the information
from the Thug Shaker Central Discord community
to the broader but still fringy internet. A U.S. official told the journal she is actively under
federal investigation, but the circumstances of the content of the investigation are unclear at
this time. Ms. Bills says she's the victim here, and the Bureau is investigating death threats
made against her.
She said to the Journal,
I have been forthright and honest with the FBI and NCIS in regards to what my clearances were and what I had access to, which was literally nothing.
I didn't leak the documents, and they've never even been in my possession.
Since the end of March, the media have reported on activities of NTC Vulcan,
a corporate operator working against OT systems under contract to the Russian government.
The Vulcan Papers, as the leaks are being called, revealed that Vulcan is engaged in supporting a
full range of offensive cyber operations, espionage, disinformation, and disruptive attacks intended to sabotage
infrastructure. On Monday, Dragos released a study of what the Vulcan papers mean for that last class
of activity, infrastructure disruption. Dragos took as its point of departure the coverage in
the Washington Post, and its researchers focused in particular on one of Vulcan's tools, a malware suite known as Amesit-B.
The researchers found four key takeaways.
First, the papers represent genuine leaks.
Dragos assesses with moderate confidence that the documents reviewed are legitimate
and were leaked or stolen from a Russian contracting repository.
Second, it is unlikely that these tools and
platforms are exclusively used for testing or training purposes. They represent a real
operational capability. And finally, Ameset-B represents a clear potential threat to the rail
transportation and petrochemical sectors. Dragos says modules contained in the Ameset-B platform could allow for a range of
impacts in rail and petrochemical environments, which could result in physical consequences,
including damage to physical equipment or creating unsafe conditions where injury and
loss of life are possible. And what Ameset-B seems designed to do comes from a familiar
Russian military intelligence playbook.
As Dragos puts it,
the capabilities described are consistent with previous attacks
attributed to various units of the Russian military's GRU
with tactics, techniques, and procedures
overlapping with multiple identified threat groups.
The Ameset-B platform shows an interesting convergence of cyber operations
with traditional signals intelligence and electronic warfare operations,
and it's very much a combat support system intended for battlefield use by a combatant commander.
Before we leave you today and let those of you who are just getting around to it to get back
to filing those tax returns that are due before midnight,
not you, of course, but those other people,
let's return to threat activity nomenclature.
Why change from phosphorus to mint sandstorm,
as Microsoft has just done today?
It's a shift in the way Redmond names threat actors.
The company is moving away from giving them elemental names and toward giving them meteorological ones. Henceforth, they'll
name them as follows. Blizzard will mean Russia. Sleet, henceforth, stands for North Korea.
Typhoon represents China. Sandstorm, as in this first usage, will designate Iranian activity. Storm
will be used for groups and development. Tempest denotes financially motivated groups. Tsunami will
be reserved for a private sector offensive actor. And finally, flood will denote an influence
operation. So you'll be able to tell the players by the scorecard without reference to the periodic
table. Coming up after the break, Joe Kerrigan on the aftermath of a $98 million online investment
fraud. Our guest is Blake Subcheck from SYNAC, host of the podcast,
We're In. Stay with us.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Blake Subchak is head of communications at SYNAC, editor-in-chief of the newsletter Read Me, and host of the podcast titled We're In. I spoke with Blake about the goals of the podcast
and of course, how they came to choose the title. I mean, you've seen many cheesy hacker movies,
I hope, right? And I feel like once you had that seminal line, we're in, you get that moment when
you've breached the network, you're into it. And so the goal of the show is really to get inside
the brightest minds of cybersecurity. And so the name was kind of a riff on that. But we did consider a number of alternative names and Warren was the
clear favorite. So the goal is really to interview newsmakers, innovators, government officials,
anybody really making waves in the cybersecurity industry. And we want a good mix of people on the
show. So we're not just going for those sort of InfoSec household names, although they are
more than welcome and have appeared on the show.
But also lesser known folks like Edna P. Kahn, who's a solutions architect at Synac, who
have a lot of insights to share, but maybe don't always get to seize the main stage.
And what is in it for Synac here to support your efforts?
What's the benefit?
That's a great question.
And CINAC definitely has, I would say, some unique, what I call brand publishing initiatives, really.
And I'm editor-in-chief of ReadMe, which is a cybersecurity publication that covers,
on an independent basis, editorially independent from CINAC, just the top happenings of the day.
So we have our ChangeLog newsletter, we have our ReadMe.Security
cybersecurity publication. And We're In is really an extension
of that. It's a way to give back to the
cybersecurity community and actually offer
some insights and really share
all of the knowledge amassed in our huge, diverse
community. And so that's kind of where SYNAC's
stake in this is, is really a chance
to give a platform to more people and again, build that community. And it's not like a Synac
marketing vehicle where we're always trying to hawk Synac products or share the next big Synac
solution or something. To the contrary, really, we're trying to draw newsmakers, right? People like the head of the NSA's
Cybersecurity Collaboration Center, officials from DHS. We had Nicole Perlroth on the show recently,
known as a renowned author and former New York Times journalist. And so that's really the goal,
is to kind of give back to the community, really increase everybody's knowledge and lift all boats.
And I think that's just so important in cybersecurity, as you well know at the Cyber Wire.
And it sounds like that really is the value proposition here. I mean, there's no shortage
of cybersecurity shows and lots of shows where folks interview each other. I take part in a few
of them myself. What do you suppose sets you apart when you're convincing folks that
they should give a listen? That's a great question. And honestly, being here interviewing with you is
a little bit intimidating in some sense, because you do obviously such a fantastic job with your
show. But it's great to be here. And I will say that I do have quite an extensive background in
journalism. Before joining SYNAC, I worked
actually at Politico as an editor, and before that covering cybersecurity for a publication
called E&E News, short for Energy and Environment, where I covered a lot of critical infrastructure
cybersecurity issues. So I think that's that knowledge base. And what I bring to the show
as host and trying to keep things both conversational, but also drawing
on that knowledge of reporting and just asking even tough questions of our guests really does
set the show apart from some of the others. But I won't say from yours, but we'll just leave it
there. I've only been in the podcast business for a little bit here. Oh, you're very kind,
Blake. You're very kind.
So are there any particular conversations that have stood out to you,
things that perhaps are unexpected or exceptional? Well, I will say one unexpected moment was when
a red-tailed hawk landed on the window of Proofpoint senior threat intelligence analyst
Selena Larson in the middle of our conversation, which was kind of funny. She's like, wait a minute, there's a hawk. I'm sure you've experienced
your fair share of podcast interruptions from various pets and whatnot.
Typically, it's chainsaws, jackhammers, and leaf blowers are our natural enemies.
Oh, yes.
I don't know that I've had it. Well, I have dealt with the people who've had cages full of birds in the room that they're trying to record in.
So that's always fun.
That is not advisable, I would say, when you're recording a podcast.
But yeah, I try to keep my orange tabby in the other room when I'm recording.
But on a serious note, I will say from a content perspective, one of the more memorable conversations that I had was with Wired journalist Andy Greenberg.
And he had a new book just come out, which I actually would encourage everybody to check
out.
It's just a fantastic read called Tracers in the Dark, really documenting this history
of crackdowns on cryptocurrency and actually managing to follow the money back to some of these
absolutely abhorrent kingpins and cybercriminals using what they thought were anonymous
cryptocurrencies. And I'm using air quotes here. But in fact, actually, with the right mix of
expertise and government intervention could be traced back to where it all started and actually
wound up with some multilateral
international law enforcement takedowns
for some of these sites,
which was really, it's really riveting stuff.
And so I really enjoyed that conversation with Andy.
Well, Blake, the show is called We're In
and we are thrilled to have it join us here
at the Cyber Wire Network.
Any final thoughts before we wrap up today?
Well, I actually wanted to ask you a question. We always ask of our guests something that we
wouldn't know about them just from reading their LinkedIn profile. So I'm actually curious if you
could share something that we wouldn't know about you, Dave, from reading your LinkedIn profile.
your LinkedIn profile? Oh, gosh. I would say this all started with a puppet show.
When I was a wee child, I believe the first puppet I ever got was a Cookie Monster puppet for Christmas from Sesame Street. And I started doing puppet shows for anybody,
my poor suffering parents, friends, family, neighbors. And that led to actually someone realizing that I could do
voiceover work when I was about eight or nine years old. And decades later, here we are. So
thank you, Sesame Street. Thank you, Cookie Monster. Who knew, right?
Who knew? That is a fun fact. I don't know if we'd find that on your LinkedIn,
but maybe you should put it because honestly, puppet show skills underrated,
I think, in the scheme of things here. It's generally not something you'd lead with at a
cocktail party, but also no shame in it either. No, no, absolutely not. Well, I really appreciate
you having me on the program, Dave. It's great talking with you. And yeah, I hope some of your
listeners will consider checking out the We're In podcast. It's available on all your go-to podcasting platforms.
All right.
Well, Blake, thanks so much for joining us.
Thank you.
That's Blake Subchak from Synac.
He is host of the podcast, We're In.
You can find it wherever all the fine podcasts are listed. And joining me once again is Joe Kerrigan. He is from Harbor Labs and the Johns Hopkins
University Information Security Institute, and also my co-host over on the Hacking Humans podcast.
Hello, Joe. Hi, Dave. So, interesting story here from Bleeping Computer. I suppose some good news.
This is an article titled, Five Arrested After 33,000 Victims Lose $98 Million to Online Investment Fraud. What's going on here, Joe? So, this starts off with a very simple social engineering ploy
that we talk about frequently over on Hacking Humans. And it's from organizations. It doesn't
really name them, but I'm going to go ahead and say this in here. Good old organizations like
Google and Facebook and Trade Desk and all these other places that have ad networks. One of the
ways these guys make money, and they don't do this deliberately,
but it does attract this kind of person,
is they sell ads to people that are running fraudulent businesses.
So there were ads on social media talking about
opening an account with us will make you huge returns.
And people would open accounts with this business that didn't really exist.
And the first thing they do is deposit 250 euros into the account.
My hunch is that immediately that money's gone.
But once you gave them all the information, someone would call you then.
Because when you open a bank account pretty much anywhere in the world,
in the industrialized world, you need to provide a bunch of information.
And banks say, hey, it's part of our know your customer requirements.
We need your name.
We need your address.
We need your phone number.
Right.
So all that has to be legit.
And then these guys called them, pretending to be financial advisors, and they promised even higher profits on bigger investments.
Right?
You know how much money you've been making
that little 250 bucks you put in. Why don't you put in like 2000, $3,000. Take it to the next level.
We'll take you to the next level. Right, right. They were dealing in something called binary
options. I had to look this up. I've never heard the term before and it doesn't really happen in
the US a lot, but basically in a regular option is the right to buy or sell a stock at a particular price.
Yeah.
And when you buy that option, you lay down cash in order to secure that right.
If the stock goes up and you have the right to buy it at the low price, then whatever the difference is between the option price and the price that you can actually sell it at, that's kind of your profit.
Binary options don't work like that at all.
Binary options, you don't have any right to buy or sell the stock, right?
All you have is the right to – or all you do is you bet that the stock price is going up.
It's kind of like, I would liken this to
almost placing a casino bet based on a stock price movement. So you buy an option for 40 bucks.
The price goes above the option. You get a hundred bucks, make 60 bucks profit. If the price doesn't
move above that strike price, you just lose your initial investment. And that's how these guys
were getting money out of these folks. I don't know if they were saying, hey, you won today. Here's your 60 bucks. Look, it's in your account. Don't you
want to make a big purchase on the next option? I think this one's going to go high. Oh, I was
wrong about that. Sorry. I don't know what kind of social engineering attacks were going on inside,
but they were running illegal call centers out of Sofia in Bulgaria. They also had call centers in Ukraine and in Cyprus.
And they were taken down in a joint operation a little while ago.
And now they have just arrested five more people, which is really interesting.
One of the things that the article talks about, it says,
today's announcement comes after Ukraine's cybersecurity police and the Europool identified and arrested five key members of another international investment fraud ring behind estimated losses of more than 200 million euros that was lost over a three-year period, small potatoes compared to this other 200 million euros every year that these guys were making.
Yeah, I mean I wonder to what degree are the social media platforms responsible here?
The social media platforms and the ad brokers.
Yeah, exactly.
That's where I was going with this.
I think,
I would argue that ethically and morally,
they have more culpability
than they might think they do.
But legally,
they probably don't have very much at all.
Right.
Right.
They probably just have to demonstrate
they're putting forth a good faith effort
to not let this kind of stuff
come onto their platform.
And they're probably doing
the bare minimum legal requirements to keep this stuff off. But in the end, Dave, it's still money
that they make. If they thought this was fraudulent and they go, no, no, that's fraudulent,
they're walking away from a sale. And there's a real, I don't even know if I'd call it a conflict
of interest on their part, but it's a social conflict of interest here. Yeah, a perverse incentive.
Yeah, there is a perverse incentive.
That's what I'll say.
That's a good word.
That's Dubner and Leavitt, right?
They coined that phrase.
Or maybe it wasn't them.
They just used it a lot.
Okay.
And that's where I read it.
Yeah.
All right.
Well, as we say,
it's nice to see some good news here
to find some folks facing justice.
Hopefully these guys will enjoy some time away in a nice, comfortable European prison cell.
There you go. There you go.
All right. Well, Joe Kerrigan, thanks for joining us.
It's my pleasure.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.