CyberWire Daily - KillNet threatens hack-and-leak op against HIMARS maker. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp.
Episode Date: August 1, 2022KillNet threatens hack-and-leak op against HIMARS maker. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp. Rick Howard previews season ten of the CSO Perspectives... podcast. Our guest is Nate Kharrl of SpecTrust on deploying fraud detection at the gateway. And a heartfelt farewell to a woman who’s inspiration lives on. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/146 Selected reading. Cyberactivist Group Killnet Declares War on Lockheed Martin (Sputnik) Russian Hackers Target U.S. HIMARS Maker in 'New Type of Attack': Report (Newsweek) Founder of pro-Russian hacktivist Killnet quitting group (SC Magazine) Huge network of 11,000 fake investment sites targets Europe (BleepingComputer) Microsoft links Raspberry Robin malware to Evil Corp attacks (BleepingComputer) Microsoft ties novel ‘Raspberry Robin’ malware to Evil Corp cybercrime syndicate (The Record by Recorded Future) FakeUpdates malware delivered via Raspberry Robin has possible ties to EvilCorp (SC Magazine) Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself (Microsoft Security) Australia charges dev of Imminent Monitor RAT used by domestic abusers (BleepingComputer) Brisbane teenager built spyware used by domestic violence perpetrators across world, police allege (the Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Killnet threatens a hack and leak operation against the maker of HiMars.
Online investment scams hit Europe.
Microsoft associates Raspberry Robin with Evil Corp.
Rick Howard previews Season 10 of the CSO Perspectives podcast.
Our guest is Nate Carl of Spectrust on deploying fraud detection at the Gateway.
And a heartfelt farewell to a woman whose inspiration lives on.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, August 1st, 2022. The HIMARS rocket artillery system the U.S. has provided Ukraine
apparently has aroused some concern in the Russian command.
There have been reports of apparent provocations
in which Russia has blamed some of its own strikes on wayward Ukrainian HIMARS rockets.
At the very least, Russian refusal to allow international Red Cross inspectors into a
prison camp that Russia claims was hit by a HIMARS suggests a guilty mind, one with something to conceal. There have also been claims, so far
unsubstantiated, that Russia had developed a cyber weapon that's capable of disrupting HIMARS in some
unspecified fashion, perhaps through interference with its fire direction system. One action in
cyberspace is aimed, if it actually comes off, at Lockheed Martin,
the U.S. defense and aerospace giant that produces HIMARS.
Kilnett, a nominally hacktivist threat actor, aligned with and in all likelihood controlled by the Russian government,
says it's going to strike a blow against Lockheed Martin on humanitarian grounds, needless to say.
The Kremlin media mouthpiece Sputnik tells
the story from the side of the kill net. The Kremlin outlet quotes Kill Milk, the group's leader,
stating, starting today, defense industry corporation Lockheed Martin will be a target
of my cyber attacks. I am against weapons. I am against merchants of death. Newsweek quotes another statement by the group.
As Killnet puts it,
the notorious HIMARS multiple launch rocket system supplied to Ukraine
by the aforementioned Military Industrial Corporation
allow the criminal authorities of the Kiev regime to kill civilians,
destroy the infrastructure and social facilities of the still temporarily occupied
Ukraine. Killnet has been talking their campaign up for some time. On July 22nd, the group said,
we are using a new type of attack. We have no equal in this area. This is a new technology
that we are using for the first time against the world's largest arms manufacturer, Lockheed Martin.
for the first time against the world's largest arms manufacturer, Lockheed Martin.
Sputnik says the operation will be a hack-and-leak campaign,
and the Killnet has invited other groups to participate,
so it's to be a crowdsourced effort if Killnet is to be believed.
To stay with Killnet for just a moment, the group may be undergoing a reorganization, or at least a change in leadership.
SC Magazine reports that the Threat Actors' founder and leader, known by his hacker name
Killmilk, has said he intends to leave Killnet to form a new group. He'll be succeeded by someone
with the unlikely hacker name Blackside. Blackside is said to be the administrator of a criminal
special access forum hosted on tour.
He's supposed to be a specialist in ransomware, fishing, and theft from European cryptocurrency exchanges.
Killmilk's departure is said to be connected to his group's threatened campaign against Lockheed Martin,
but observers are skeptical that Killmilk, even assuming he's a natural person and not an office somewhere in the Russian organs,
is motivated by any selfless desire to spare his colleagues the wrath of law enforcement.
Killmilk does say he's actively recruiting members for his new group, so we shall see.
A complex and ambitious investment scam has used more than 10,000 domains to induce speculators to give up not just funds but personal information as well.
Researchers at Group IB describe the campaign as one that proceeds through several distinct stages.
It begins with ads placed on social media or with pages displayed in compromised Facebook or YouTube accounts. The Come On invites prospects to learn more about an investment opportunity,
enticing them with bogus celebrity endorsements and, always a warning sign, promises of guaranteed returns.
Should the prospect click through to learn more, they find that for an initial investment of roughly $255,
they'll receive a personal investment counselor
who will guide them through the process.
And they'll also receive a dashboard
they can use to track their investment's progress,
which itself feeds them inducements to invest more.
Group IB writes,
The main goal of these fake investment schemes
is to convince the victims to repeatedly transfer funds to the fake investment portal.
The victims are usually promised huge returns on their investments and are shown How I Got Rich stories featuring celebrities.
The campaign's success depends on volume.
The mix of online social engineering and live phone scamming is a distinctive mark of an otherwise conventional con job.
At the end of last week, Microsoft updated its research, originally published on May 9th of this year, on Raspberry Robin.
Microsoft researchers also observed that fake updates malware was being delivered through existing Raspberry Robin infestations.
malware was being delivered through existing Raspberry Robin infestations.
On July 26, 2022, Microsoft researchers discovered the fake updates malware being delivered via existing Raspberry Robin infections. The Microsoft 365 Defender
Threat Intelligence team and the Microsoft Threat Intelligence Center also looked at the
payloads the group delivered and saw a significant
pattern, and it points to Evil Corp. The researchers say these payloads have, in numerous instances,
led to custom cobalt strike loaders attributed to DEV-0243. DEV-0243 falls under activities
tracked by the cyber intelligence industry as Evil Corp.
The custom Cobalt Strike loaders are similar to those seen in publicly documented Blister malware's inner payloads.
In Dev0243's initial partnerships with Dev0206, the group deployed a custom ransomware payload
known as WastedLocker and then expanded to additional Dev 0243 ransomware payloads
developed in-house, such as Phoenix Locker and McCaw.
The group seems to have used LockBit 2.0 as misdirection,
buying the ransomware-as-a-service tool to conceal Evil Corp's presence.
The researchers state, around November 2021, Dev0243, that is Evil Corp.,
started to deploy the LockBit 2.0 ransomware-as-a-service payload in their intrusions.
The use of a ransomware-as-a-service payload by the Evil Corp. activity group
is likely an attempt by Dev0243 to avoid attribution to their group,
which could discourage payment due to their sanctioned status.
Bleeping Computer explains why sanctions drive the misdirection, stating,
After being sanctioned by the U.S. government in 2019, ransomware negotiation firms refused
to facilitate ransom payments for organizations hit by Evil Corp ransomware attacks to avoid
facing legal action or fines from the U.S. Treasury
Department. Using other groups' malware also allows Evil Corp to distance themselves from
known tooling to allow their victims to pay ransoms without facing risks associated with
violating OFAC regulations. The Australian Federal Police announced late last week that they'd charged a Brisbane man,
Jacob Wayne John Keane, 24 years young, with creating the imminent monitor remote-access Trojan
and selling it to those who wish to use its camera hacking and keylogging functionality as stalkerware.
Mr. Keane allegedly sold imminent monitor for $35 a pop in an underworld market. His secret,
like the secret of the hoods currently running the investment scam in Europe, was volume.
The Australian federal police say he sold it to more than 14,500 people, pulling in somewhere
between $300,000 and $400,000. Many of his clients are thought to have been domestic abusers.
Mr. Keene got his start early.
The police say he started offering the code at the tender age of 15.
We'd say, boy, boy, you'll break your mother's heart,
except, alas, in this case, the Australian Federal Police think Mom was in on it with him,
which is just kind of sad.
And finally, we note in sadness that another star has fallen from the firmament of the
original Star Trek series.
Nichelle Nichols, who played the Enterprise communications officer Lieutenant Uhura, passed
away Saturday at the age of 89.
Well remembered by all who visited the Starship Bridge via television,
Ms. Nichols will be missed, as all who've gone where no one has gone before are.
So hail and farewell, Nichelle Nichols,
and if we may address you by your creation's name, Lieutenant Ohuru,
greet Bones, Scotty, and Spock for us.
Rest in peace.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-
time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like
policies, access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Thank you. but it's newer for fraud prevention teams, and that reality brings with it a number of interesting challenges.
Nate Carl is co-founder and CEO of fraud prevention security firm SpecTrust.
And generally when you think about how people look for fraud in an application,
these are things that have built over coming out of a finance concern.
So it's in the back office, they're looking at a stack of login requests or account signups or payments, and then looking for bad activity.
What that means is that for the people who are looking for bad actors
who are on their platform, they only get the data that is given to them
by the experienced teams.
It's usually not a lot, and their ability to drive feedback in,
it's pretty terrible.
As opposed to in the security world, where you are out at the gateway,
so you can think about your web application firewalls,
and your DDoS protection,
that's out there at the edge collecting 100% of the information,
keeping what's relevant, and then obviously dropping the rest.
Fraud teams never have access to that,
meaning that they don't have all the information they need to make those decisions,
and they don't have a great information-sharing bridge to go between themselves and security teams
because there's a lot of really great potential for collaboration.
So when we talk about deploying at the gateway,
we're really talking about deploying fraud detection and prevention
the same way that security solutions are deployed today.
And why don't the fraud teams have access to that type of information that security teams
have grown accustomed to? They're generally not technical, right? For a growing business,
their first fraud manager might be somebody inside of customer service. So for them,
getting access to this type of technology, they often don't know to ask for it.
And even in larger enterprises, their fraud team may be a finance concern, it may be a legal concern, it may roll up to the business unit.
It's a rarity that we find a fraud team that rolls up to the CISO.
As a result, the type of solutions, the sophistication of those solutions has been lagged behind how security solutions typically roll the market.
So what does this look like?
From a practical point of view, somebody looking to deploy something like this, how does it work? So the way that these type of solutions work is they will deploy out similarly to the way a CDN might or a web application firewall.
The main difference is they're going to be looking at layer 7 traffic
and stitching that together into a stateful representation
of what a single digital identity did on the property
over a longer period of time.
So instead of looking at packets,
or instead of looking at maybe a single request at layer seven, it's about
stitching that together from end to end and being able to trigger workflows and automations
off of that.
Why that's big for security teams is now their fraud teams have a way to really build that
bridge between, hey, the security team may be specifically watching post requests to
an application, looking for bots or credential stuffing attacks.
But now the fraud team can see the on-platform behavior,
look for things that have happened where they're trying to abuse the platform,
abuse the application, and then feed that back into the security team as an upstream.
Today, fraud teams largely don't consider their security teams an upstream
when they just clearly are.
Yeah, it strikes me that there's really
an opportunity here for a lot of potential collaboration.
It's crazy.
There is so much that goes into
where a security team might be making decisions,
thousands, hundreds of thousands of decisions a day
on who to allow access to these critical pieces
of these consumer-facing applications.
And none of that trickles downstream
as the people on the fraud teams
are trying to build risk assessments
for digital identities.
And none of what actually happens,
like the actual loss, streams upstream.
Which I think security teams that we've talked to
love that because oftentimes
it's hard to justify ROI for security investments. But your fraud team sits so close to the money,
it makes it really, really easy for you to really understand the impact of your investments and be
able to communicate that to get the buy-in you need inside of your organization.
Now, if you're intermingling the fraud component and the security component,
are there any concerns there in terms of privacy?
From a fraud and security component, no. Most of the carve-outs that you'll see in things like GDPR
or CCPA for the purposes of cybersecurity apply to fraud exactly the same way. So in terms of being able to move it across,
most fraud solutions will actually work
with pseudo-anonymized digital identities.
So you won't necessarily be looking at customer PII.
You'll be looking at a tokenized version of that.
Is there a cultural component here as well
of establishing trust between these
two established teams? What we have seen is it really comes down to the leadership on the
security end of the house. The security end of the house, typically, they can decide if account
security is inside their remit or not. And some of them say no. Some of them are like, hey, if we're shipping good code
and if we have addressed major vulnerabilities
and the application doesn't allow unsecure access,
then we've done our job.
If people abuse, then that's fraud's concern.
Where we have seen CISO step in
and just show a lot of leadership around,
no, we're going to keep the entire customer experience secure.
Become the yes people of, yes, you can work with
safe payment instruments.
Yes, you can allow one-click checkout.
Yes, you can move into these new areas.
That has really unlocked a bunch.
Fraud teams typically aren't going to fight more engagement from the CISOs
because what they lack is engineering support.
They lack technical support, which security teams typically have
consistently more than fraud teams do.
And it really just becomes like a 1 plus 1 equals 3 type situation.
That's Nate Karl from SpecTrust.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution
trusted by businesses worldwide.
ThreatLocker is a full suite
of solutions designed
to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And it is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, great to have you back.
Hey, Dave.
So if you are on the show today, that means one thing.
It means we've started another season of CSO Perspectives.
I have to say I can hardly wait to see what you have in store for us.
Yeah, you can't get away from me, Dave.
We come back like a bad rash.
Okay, that's me.
There you go.
So, Season 10 starts today, and we have an entire rack of cool and interesting things to talk about
from the fintech ecosystem, privilege escalation, crisis planning, and a whole thing on risk forecasting.
So I'm really looking forward to that.
But today we're talking to the folks over at MITRE Ingenuity about two new and free tools.
And, you know, I love free that they released this year in 2022 designed to make working with the MITRE ATT&CK framework easier.
Well, I have to admit, I'm glad you're talking about this, Rick,
because, you know, sometimes when I tune into your segments,
I find myself saying, yes, Rick,
we all know how great the MITRE ATT&CK framework is.
But you know what?
I mean, if you look into it, you're absolutely right.
There is great information in there.
But also, I think, I mean, is it fair to say
that it's not for the casual user, that it can be hard to use?
I think that's absolutely true.
And by the way, Dave, I get that same reaction from my family.
So you're not the only one.
So these new tools from MITRE Ingenuity were tailor-made for people like you who are kind of casual users, right?
One is called MITRE's Powered Suit.
It's a Chrome browser extension that when you're reading the cyber news items of the day,
like from the Cyber Wire or from some latest report from a security vendor,
you can easily look up the tactics, techniques, and procedures associated with it
without having to go back and forth and doing deep dives from the MITRE wiki.
So it kind of streamlines that entire operation.
And I use it every day now.
It's really good.
So I highly recommend it.
The other is called the MITRE Attack Flow.
And this is a really interesting idea.
It's a visualization tool that allows you to map the latest attack sequence, say, from
PandaBear, you know, in a visually pleasing way.
And then you can also layer in the detection
and prevention controls your organization has in place to counter those attacks. So,
I'm looking forward to playing with that a little bit more.
Well, that is over on the pro side of the CyberWire house, over on the subscription side.
On the publicly available side, you've also been releasing some of the older CSOP episodes,
side, you've also been releasing some of the older CSOP episodes, classic episodes,
for folks who are not already a subscriber. That's right. That's right. They're not reruns.
They're classics. If you haven't heard it, it's new to you. So these episodes are from last year.
What can people look forward to there? So that podcast is called CSO Perspectives Public, and you can search
for it wherever you get your podcasts. And it's free with ads. And this archive episode is all
about how to orchestrate the security stack on your various data islands. So like we said before,
if you're trying to stop PandaBear from running around your networks, how do you make sure that
your anti-PandaBear security controls are consistent in your data center, in your cloud
deployments, in your SaaS services, and on your mobile devices. So we'll give that a run and see
what we come up with. All right. Sounds like good stuff. Before I let you go, the other podcast you
work on is called Word Notes. And these are little five-minute deep dives into some of the words that
pop up in the news. What is this week's word?
In this week's show, we're talking about pseudo-ransomware. I didn't even know it was a thing until we put the show together, right? So we'll give you a little definition, a little
history, and a little nerd reference from the 2008 movie, The Dark Knight. So it doesn't get
any better than that. Okay, firing on all cylinders. Rick Howard, he is the host of CSO Perspectives that is part of CyberWire Pro.
You can check that out on our website, thecyberwire.com.
Rick, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabe, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.