CyberWire Daily - Is Conti rebranding? Commercial spyware scrutinized. Notes from the cyber phases of a hybrid war. Notes on the underworld. Software supply chain attack. Canada will exclude Huawei from 5G.
Episode Date: May 20, 2022Was Conti’s digital insurrection in Costa Rica misdirection? Google assesses a commercial spyware threat “with high confidence.” Continuing expectations of escalation in cyberspace. The limitati...ons of an alliance of convenience. Fronton botnet shows versatility. Russian hacktivists hit Italian targets, again. Lazarus Group undertakes new SolarWinds exploitation. Crypters in the C2C market. CrateDepression supply chain attack. Johannes Ullrich describes an advance fee scam hitting crypto markets. Our guest is Marty Roesch, CEO of Netography and inventor of Snort. Canada to exclude Huawei from 5G networks on security grounds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/98 Selected reading. Conti ransomware shuts down operation, rebrands into smaller units (BleepingComputer) Protecting Android users from 0-Day attacks (Google) Microsoft President: Cyber Space Has Become the New Domain of Warfare (Infosecurity Magazine) Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes (Check Point Research) Chinese Hackers Tried to Steal Russian Defense Data, Report Says (New York Times) China-linked Space Pirates APT targets the Russian aerospace industry (Security Affairs) This Russian botnet does far more than DDoS attacks - and on a massive scale (ZDNet) Pro-Russian hackers attack institutional websites in Italy, police say (Reuters) Lazarus hackers target VMware servers with Log4Shell exploits (BleepingComputer) ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups (Security Intelligence) CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware (SentinelOne) Canada to ban Huawei/ZTE 5G equipment, joining Five Eyes allies (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Was Conti's digital insurrection in Costa Rica misdirection?
Google assesses a commercial spyware threat with high confidence.
Continuing expectations of escalation in cyberspace.
The limitations of an alliance of convenience.
Fronton botnet shows versatility.
Russian hacktivist hit Italian targets again.
The Lazarus Group undertakes new solar winds exploitation.
Cryptors in the C2C market.
Great depression supply chain attack.
Johannes Ulrich describes an advance fee scam hitting crypto markets.
Our guest is Marty Resch, CEO of Netography and inventor of Snort.
And Canada is going to exclude Huawei from 5G networks on security grounds.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, May 20th, 2022. Conti's ransomware attack against Costa Rica, accompanied by calls for a general insurrection to force the government to pay its outsized ransom, may have been misdirection. Bleeping
Computer reports that Conti may be breaking into smaller gangs
and rebranding itself in the process,
and that its noisy operation against Costa Rica may have been intended as a distraction.
Researchers at Advanced Intel tweeted yesterday that while some of Conti's public-facing sites,
like the Conti News dump site and its negotiation portal, remain up,
the group's Tor infrastructure has been shuttered.
It seems to be a rebranding, not a retirement,
and the splintering seems intended to escape the increasing heat Conti is feeling from Western law enforcement organizations.
But the baddies behind the brand haven't gone straight and they'll surely be back.
Recent discussions and investigations of commercial spyware and its alleged abuse by governments and other actors have focused on NSO Group and its Pegasus product.
But NSO isn't the only player in this field.
Google's threat analysis group yesterday outlined five zero days in Chrome and in Android that have been employed against Android users.
Google thinks the North Macedonian lawful intercept vendor, Citros, is responsible for creating the tools used to exploit the vulnerabilities.
Google's threat analysis group writes,
analysis group writes, we assess with high confidence that these exploits were packaged by a single commercial surveillance company, Citrox, and sold to different government-backed
actors who used them in at least the three campaigns discussed below. Consistent with
findings from Citizen Lab, we assess government-backed actors purchasing these exploits
are located at least in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia.
Companies like Citroën deploy capabilities formerly achievable only by governments.
But then if you look at the customer list, effectively, they're functioning as contractors.
as contractors. Google says, our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments
with the technical expertise to develop and operationalize exploits. Google thoroughly
disapproves of the way this sector is doing business. They say, tackling the harmful practices
of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers, and technology platforms.
We look forward to continuing our work in this space and advancing the safety and security of our users around the world.
of our users around the world.
Microsoft President Brad Smith, speaking yesterday in London at the Microsoft InVision conference,
renewed calls for laws of conflict in cyberspace, InfoSecurity magazine reports.
The rules he envisions are essentially transpositions of traditional jus in bello considerations,
proportionality, discrimination, and the avoidance of perfidy. They're nonetheless sound for being familiar. Smith sees the hybrid war in Ukraine as having lent new urgency to the
development of international norms. The cyber phases of Russia's hybrid war have shown some
correlation with kinetic operations, but less than many had expected. PC Mag describes the ways in
which cyber operations appear to have been conducted
without close coordination with conventional forces.
China has generally supported Russia's invasion of Ukraine,
but that support has limits,
and Chinese cyber espionage against Russian targets has continued.
Security Affairs reports that a cyber espionage group, Space Pirates,
is targeting the Russian aerospace industry. Active since at least 2017, the group is believed
to be associated with China-linked APT groups, including APT-41, Winty, Mustang Panda, and APT-27.
Positive Technologies discovered the attacks in 2019 targeting a Russian aerospace
enterprise. They've seen the malware reappear in 2020 against Russian government organizations
and again in 2021 against another Russian enterprise. Positive Technologies stops short
of directly attributing the activity to Beijing, but circumstantial evidence points in that direction.
Checkpoint has also observed the activity, and they're not reticent about either attribution
or identifying victims. A report yesterday details a targeted campaign that has been using
sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation.
The investigation shows that this campaign is part
of a larger Chinese espionage operation that has been ongoing against Russian-related entities for
several months. CPR researchers estimate with high confidence that the campaign has been carried out
by an experienced and sophisticated Chinese nation-state APT. They think the activity bears significant similarities
to earlier campaigns by Twisted Panda.
The goal is evidently theft of intellectual property,
and the choice of sanctions as fish bait shows once again
how quickly Chinese espionage actors adapt and adjust to world events,
using the most relevant and up-to-date lures
to maximize their chances of success.
Fronton, a botnet allegedly built by a subcontractor of Russia's Federal Security
Service, is much more versatile than initially thought, ZDNet reports. When the botnet was
first exposed by a hacktivist group in 2020, its primary goal was presumed to be launching DDoS attacks.
Now, researchers at Nisos say the botnet is more properly viewed as a system developed for
coordinated inauthentic behavior on a massive scale. Nisos explains that Fronton includes a
web-based dashboard known as SANA that enables a user to formulate and deploy trending social
media events en masse.
Late last night, Russia-aligned hacktivists of the Killnet group and its Legion affiliate
hit another series of Italian targets, specifically websites operated by the Italian Foreign Ministry
and its National Magistrates Association, Reuters reports.
The group last week had conducted a similar operation against Italian organizations.
Those were organized as retaliation for Russia's exclusion from the Eurovision Song Contest.
The nature of the attacks hasn't been further specified.
North Korea's Lazarus Group is exploiting the Log4J vulnerability
to target unpatched VMware Horizon Apache Tomcat servers,
Bleeping Computer reports.
Researchers at ASEC observed the attacks last month,
saying the attackers are deploying either the Nukesped backdoor or the Djinn miner crypto miner on the compromised servers.
In the cases where Nukesped was used, the goal of the attack was assessed to be
information gathering. IBM X-Force researchers have analyzed 13 cryptors created by cybercriminal
group ITG23 that have been used with malware by ITG23 and its third-party distributors.
Cryptors are applications that encrypt and obscure malware so that it isn't
detected by antivirus software and malware analysts. One cryptor has seen repeated use
with the CACBOT banking trojan, with one notable appearance with the GOZI banking trojan.
X-Force found evidence that ITG23 had been scaling up their cryptor efforts by mid-2021,
that ITG23 had been scaling up their crypto efforts by mid-2021,
with some use by Emotet and IcedID malware,
which suggests a possible link between ITG23 and Emotet and IcedID operators.
Researchers at Sentinel Labs describe a supply chain attack against the Rust development community that they're calling Crate Depression.
They write,
the malicious dependency checks for environment variables that suggest a singular interest in
GitLab continuous integration pipelines. Infected CI pipelines are served a second-stage payload.
We have identified these payloads as Go binaries built on the red teaming framework Mythic.
Given the nature of the victims targeted,
this attack would serve as an enabler for subsequent supply chain attacks at a larger scale
relative to the development pipelines infected.
The campaign appears to use some social engineering.
Sentinel Labs said,
We suspect that the campaign includes the impersonation of a known Rust developer
to poison the well with source code that relies on the typo-squatted malicious dependency
and sets off the infection chain.
And Reuters reports that Canada will join the other members of the Five Eyes
in banning Huawei from its 5G infrastructure.
Industry Minister François-Philippe Champagner said,
we intend to exclude Huawei and ZTE from our 5G networks. Providers who already have this
equipment installed will be required to cease its use and remove it under the plans we're announcing Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Marty Resch is CEO of Netography, a network security company that's looking to take on the challenge of today's distributed dispersed networks and users, what they refer to as the atomized network.
Before joining Netography, Marty Resch was the founder and CEO of Sourcefire, and before that, the creator of the open source project, Snort.
Well, actually, when I started writing it,
this is back in late 1998.
I was just doing it as kind of a rainy days and weekends project.
I was using it to monitor my home cable modem,
and I was basically teaching myself security,
because back in the 90s, if you wanted to be in cybersecurity, you basically, you know, you taught yourself.
So, yeah, I was kind of just horsing around,
and I eventually decided that I would release it as an open source project
just to see if anybody would use it.
And maybe I thought I'd get a few emails and it would be fun.
And so, no, I had absolutely no idea what was about to happen.
And so, no, I had absolutely no idea what was about to happen.
And it just, you know, it absolutely exploded within the first, really the first year.
It just completely took off.
Yeah.
And then that led to the founding of Sourcefire.
And I suppose it's fair to say the rest is history.
Yeah, pretty much.
Yep.
Two years later, I started Sourcefire. Snort had become so popular that I went to work for a startup. I got recruited to work at a startup on the power of being the guy who wrote Snort. And then I left there after not too long and found myself in a position. I was
looking for a job and Snort had gotten so popular that eventually it kind of
dawned on me that if I didn't figure out how to make money on this, somebody else would.
So I decided to give it a shot, and I spent a few months thinking of business plans that might get people to want to pay for something that's free, and then I launched Sourcefire.
Now, Cisco acquired Sourcefire back in 2013, and so you joined Cisco.
I believe you were the chief architect of their security business group.
What was that blending of companies like, and what was going on at Cisco at the time?
So Cisco was getting pressure in the firewall world, specifically next-generation firewalls
from some upstart companies like Palo Alto Networks.
So they were looking to us to help them
bring our great technology into their great organization
and kind of have this very virtuous effect
of taking our great stuff,
pairing it with great Cisco technology, and then selling it
through the Cisco sales machine. I learned all sorts of really interesting things when I
got there because it is such a big company and it is such a
big business. The firewall business alone was three times the size
of Sourcefire's business when we got there, so it was a little bit humbling.
It's really a fascinating place to work. Now, today you are CEO of Netography. Can you give us some insights
there? I mean, it strikes me that with the success that you had, you were probably in a position to
be able to choose what you wanted to do next. What drove this decision? I started talking to Barrett Lyon, who's the
co-founder and was the CEO of the company a little over a year ago about joining the company. And,
you know, yeah, I did have a lot of optionality. So I was trying to figure out if I wanted to join,
you know, why, why Netography? Why would I want to join Netography? And what the company has built is this network metadata analysis platform.
And that's a lot of big, juicy words, but what's it mean practically?
Well, practically speaking, what we're able to do is we're able to take information from the network about the network and kind of figure out what you've got, what it's doing, what's happening to it, the attacks that we're seeing, and the effects of attacks
that are taking place in the network environment.
And we do it without having to deploy any hardware or software.
So what that means practically, if you think about network traffic
like envelopes with letters inside of them,
the envelopes have addresses on them, they go from point A to point B,
then the computers open up the envelope and see, read the letter. That's kind of the way
packets on networks work, kind of very basically.
And the problem is that the letters are going to be encrypted.
So we could still see the envelopes going back and forth, but we couldn't see what was inside them anymore.
And that breaks Snart and a lot of other technologies like Snart when that happens.
Well, one of the fundamental premises that Zero Trust is built on is we're going to encrypt everything out of the gate.
And to decrypt it, you have to be authorized to be there.
So that's one of the primary enforcement mechanisms for doing this.
Well, that's really bad for anything that does deep packet inspection because it effectively blinds it.
So we knew about this back in the Cisco days.
And I wrote a report shortly before I left the company about what happens if the networks
go dark, as we called it.
They become encrypted and we can't really interpret what's going on in them anymore.
And I basically had three conclusions.
And one of them was you have to build a network metadata platform so that we can use the information that's still there on the network to tell us about the network.
So that's what Netography does.
I was really intrigued by that.
And then I started looking at the competitive picture, and I realized that all the competitors that were out there that were doing things similar to Netography were still on the old appliance architecture and the old deep pack inspection architecture,
which meant practically speaking, their days were numbered. So I saw a big opportunity there.
You know, getting your start when you did, and I guess cybersecurity is one of those industries
where, you know, the success of Snort starting back in the late 90s qualifies you as technically being an old timer.
What have you seen in terms of change? I mean, the professionalization of the industry,
what are some of the things that strike you? Well, you can actually learn it in a university now.
So that's new. You don't have to just teach yourself. It's still really good to sit down and get hands-on experience
with how attack and defense work
and how risk management works and policy
and all the other pieces of the puzzle.
So that's changed a lot.
It's been much more professionalized.
The tools have gotten more sophisticated.
The problem has gotten a lot harder, too,
because more and more stuff runs software these days.
Every place there's software,
there's opportunity for bugs that are security bugs,
and it never goes away.
In fact, it just gets bigger and bigger
because the problem gets bigger and bigger
as people deploy software and do all the other things
that we like to do.
As the Andreessen Horowitz guys say,
software is eating the world.
Well, that's like permanent employment for security people.
That's Marty Resch from Netography.
There's more to our conversation.
In fact, you'll find extended versions of many of our CyberWire interviews
over on CyberWire Pro on our website, thecyberwire.com. Cyber threats are evolving every second, and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, you have been tracking some interesting goings on
when it comes to some folks sort of targeting their phishing efforts
towards some cryptocurrency folks.
What's going on here?
Yes, and good to be back here
again this is something that our volunteer handler jan copriva uh ran into and it's sort of a little
bit of convoluted scam it starts out kind of like you would a fishing scam to expect starting out
you get a link to a obviously fake crypto coin trading platform. But there's a little twist to it.
You actually get a username and password to log in.
The email states that they just transferred some money
to check out your account.
Hey, here is your username and password.
So it kind of looks like it's crypto after all,
who cares about security?
So insofar, it looks a little bit legit
and kind of like one of those misrouted emails.
So it really sort of appeals now to the creed of the recipient.
Of course, creed is always a very powerful motivator.
After you log in to this crypto trading platform,
you'll notice there's actually some bitcoins in the
account and there is a feature that allows you to transfer that bitcoin amount into a checking
account now okay um what what's next you know let's so far so good and see what happens there. So you click the button you want those Bitcoins,
but there is a little hitch here.
While there's a pretty good amount of Bitcoins in the account,
something sort of short of 30 Bitcoins,
they tell you, hey, we actually have like a minimum amount
that you need to withdraw, which is 30 Bitcoins.
And that's where the scam now starts,
where they're telling you,
hey, just top up your account
and we'll make sure you get those 30 Bitcoins.
So what are you going to do?
They're giving you the quick QR code
where to send the Bitcoin to
in order to top off your account
and off your Bitcoins go,
never to be seen again.
So is there like, I don't know, 29.5 Bitcoins in there and you have to top it off?
There's something close to it, yeah.
Because they want to make sure that the amount you need to top off is small enough where
people typically have that sitting around in their wallet.
Like 30 Bitcoins is, even at today's prices, still more than most people have sitting in their account.
They also go initially through a little validation
where they sort of transmit like 0.00001 Bitcoin,
or at least they claim to verify that your account is working.
So they make you jump through quite a few hoops here
to get to your Bitcoins,
but all kind of in an effort to make sure that you sort of stick with them,
you actually give them a valid address later in order to transfer your Bitcoins from.
Now, if you are someone who's trying to make your way through this,
if you look at the Bitcoins that they're offering up as the lure,
are they legit?
Like, could you go look up and check to see is this a real,
is the lure that they're using,
you know, a real source of some of these funds?
I don't know if that Bitcoin actually,
I doubt they exist.
I doubt these Bitcoins exist.
I'm not sure if they actually give you
like the actual account ID that sort of public key here where these Bitcoins exist. I'm not sure if they actually give you the actual account ID,
the public key here where these Bitcoins are sitting.
They obviously give you then a public ID
as they're asking you to transfer the money.
I haven't had a chance to look into that
to see if there's actually something short
of 30 Bitcoins in there
or how many people actually transferred money to it,
that would be another interesting thing to look at.
Yeah. No, it's an interesting technique for sure.
I mean, obviously the suggestions here are
to check yourself when you're feeling a little bit greedy, right?
What else?
Yes. Yeah, I think that's really it.
It's one of these typical advanced fee scams
where the attacker wants a little bit of money
in order to give you a lot of money.
And the lot of money you're supposed to get
is usually not there.
And also, there's always this little bit illicit part
that will prevent you asking for help from others
to check whether or not it is valid.
I compare it always to the good old parking lot scam where someone says,
hey, they found this big wallet of money for $50.
They'll tell you where it is.
And people fall for that as well in the real world.
And it's always greed plus that illicit aspect
where it basically makes it less likely for people
also to complain if they fall for it.
Right, right, right.
And they count on your embarrassment
to not check in with law enforcement.
All right.
Well, Johannes Ulrich, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't miss this weekend's Research Saturday and my conversation with Yanir Sarimi of Orca Security.
in my conversation with Yanir Sarimi of Orca Security.
We're discussing AutoWork,
critical cross-account vulnerability in Microsoft Azure Automation Service.
That's Research Saturday.
Check it out.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, Thank you.