CyberWire Daily - Large-scale GRU brute-forcing campaign in progress. IndigoZebra in Afghanistan. A ransomware gang scorecard. A cyber most-wanted list. Are the phone lines open?
Episode Date: July 1, 2021US and British authorities warn of a large-scale GRU campaign aimed at brute-forcing its way into European and American organizations. Reports of a major cyberattack on German critical infrastructure ...appear very much exaggerated. IndigoZebra uses Dropbox in ministry-to-ministry deception aimed at the Afghan government. Currently active ransomware groups are profiled, and REvil is now going after Linux systems in addition to Windows machines. A cyber most-wanted, and priorities in a US Treasury campaign against money laundering. Malek Ben Salem looks at supply chain security. Our guest is Brandon Hoffman of Intel471 with insights on China’s data underground. And, hey, it’s Dmitri from Yurga, long-time listener, first-time caller. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/126 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. and British authorities warn of a large-scale GRU campaign.
Reports of a major cyber attack on German critical infrastructure.
Indigo Zebra uses Dropbox in ministry-to-ministry deception aimed at the Afghan government.
Currently active ransomware groups are profiled.
A cyber most wanted and priorities in a U.S. Treasury campaign against money laundering.
Malek Ben Salem looks at supply chain security. Our guest is Brandon Hoffman of Intel 471 with
insights on China's data underground. And hey, it's Dimitri from Yorga, long time listener,
first time caller.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, July 1st, 2021. NSA and its U.S. and British partners late this morning released an advisory detailing a Russian campaign they describe as almost certainly ongoing to brute force access to cloud and enterprise environments.
The campaign is global in scope, NSA says,
but focused on American and European targets.
The sectors being prospected for collection or disruption
amount to a familiar list.
Government and military, defense contractors,
energy companies, higher education, logistics companies,
law firms, media companies, political consultants
or political parties, and think tanks.
Attribution is specific. The threat actor is placed on the GRU's org chart as the 85th
main special service center. The advisory summarizes the implications of this campaign.
Quote, this brute force capability allows the 85th Gtsss actors to access protected data including email and identify
valid account credentials those credentials may then be used for a variety of purposes
including initial access persistence privilege escalation and defense evasion the actors have
used identified account credentials in conjunction with exploiting publicly known
vulnerabilities, such as exploiting Microsoft Exchange servers using CVE-2020-0688 and CVE-2020-17144
for remote code execution and further access to target networks. After gaining remote access,
many well-known tactics, techniques, and procedures are combined to move laterally,
evade defenses, and collect additional information within target networks.
While brute forcing isn't new, the GTS-SS's approach is. It's uniquely leveraged software
containers to easily scale its brute force attempts. The advisory comes with indicators of compromise, and NSA urges Department of Defense,
National Security Systems, and Defense Industrial Base System administrators
to immediately review them and apply the recommended mitigations.
Responding to a screamer in German tabloid newspaper Bild about a massive Russian cyber
attack on German infrastructure,
the country's Federal Information Security Service, the BSI, says it never happened.
Instead, some criminal activity was thwarted, Bloomberg and Gollum report.
Bild had cited unnamed Western intelligence services as its sources
and variously named the purported Russian threat actor as Fancy Bear and
Fancy Lazarus. The outlet also associated the attack that wasn't with tensions arising over
Belarus and the airliner it forced down so it could take a dissident into custody. If you believe
the NSA, the NCSC, the Secret Service, and the FBI, the GRU has certainly been up to no good
in European and North American networks. But this case doesn't appear to be one of those misdeeds.
It was apparently an ordinary and not particularly successful attempt at cybercrime.
Researchers at Checkpoint have observed a Chinese-speaking threat group tracked as Indigo Zebra engaged in a long-running cyber espionage campaign against the Afghan government.
Indigo Zebra used Dropbox to gain access to the Afghan National Security Council and then used that position to fish their way further into the government.
The goal is to access desktop files, deploy scanner tools, and execute Windows
built-in networking utility tools. The Hill reports the checkpoint is struck by Indigo
Zebra's effective use of ministry-to-ministry deception, since the messages staged through
Dropbox appear to originate at the highest levels of government. The latest targets may be in Afghanistan, but
Indigo Zebra has, according to Checkpoint, long shown an interest in Central Asian governments
since at least 2014, pursuing targets in Kyrgyzstan and Uzbekistan.
Security firm Domain Tools has published a useful guide to the most common ransomware
operations presently active.
The accounts of the individual gangs and their tools are interesting,
but so is the overarching warning Domain Tools offers up front.
Quote,
All of these groups make alliances, share tools, and sell access to one another.
Nothing in this space is static,
and even though there is a single piece of software behind a set of intrusions,
there are likely several different operators using that same piece of ransomware that will tweak its operations to their designs.
Among the more prolific, rapacious, and successful ransomware-as-a-service operations out there
is R-Evil.
AT&T's Alien Labs, working from a tip it received from the malware hunting team,
has been tracking new samples that indicate the gang's expansion into new fields of activity.
REvil has hitherto concentrated on attacking Windows machines,
but Alien Labs has confirmed, with at least four samples,
that REvil has branched out into the Linux world.
In this, REvil is following the lead of other
ransomware outfits, notably DarkSide. The first confirmed R-Evil activity against Linux systems
appears to date to this past May. The U.S. Secret Service has revived its most-wanted
list of suspected cybercriminals. As suits, a remit narrower than the FBI's, the Secret Services list
is confined to cases of financial fraud under investigation by its cyber fraud task forces.
They welcome tips. If you've got any, you can email them at mostwanted at usss.dhs.gov.
Two of the wanted come with a million-dollar reward for information leading to arrest and conviction.
In a related development, the U.S. Treasury Department has published a revised set of anti-money laundering guidelines,
the Wall Street Journal reports.
The department's Financial Crimes Enforcement Network yesterday gave cybercrime a prominent place among its priorities.
FinCED said,
The priorities identify and describe the most significant AML-CFT threats
currently facing the United States.
In no particular order, these include corruption, cybercrime,
domestic and international terrorist financing,
fraud, transnational criminal organizations,
drug trafficking organizations,
human trafficking and human smuggling, and proliferation financing. End quote.
Finally, in the It's Dmitry from Yurga, long-time listener, first-time caller department,
Russia's President Putin seemed this week to engage in a bit of security theater,
principally for domestic consumption. His annual
four-hour call-in TV show, a kind of ask-me-anything session with Russian citizens on the state-run
Rossiya-24 network, featured a caller from the southwestern Siberian region of Kuzbass who
complained, our digital systems are right now facing attacks, powerful DDoS attacks.
The president replied,
Are you joking? Seriously.
Turns out we have hackers in Kuzbass.
Security Week says that the large Russian telco Rostelecom
confirmed that unknown parties were indeed conducting cyber attacks
and that steps were being taken to block these illegitimate activities.
No attribution was offered, but hey, give them a call. Maybe by now, the phone lines are open.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews,
and reporting,
and helps you get security questionnaires
done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Researchers at Intel 471 recently looked into the sale of data sets
in online dark web forums by Chinese insiders with access to big datasets. Brandon
Hoffman is chief information security officer at Intel 471, and he joins us with their findings.
Yeah, so what's happening essentially is, let's just take, for example, a service provider. A
service provider has a lot of data about individuals, a lot of data about what they do on the internet and probably
personal information.
This data gets aggregated, and there's legitimate reasons, even here in the U.S. and across
other parts of the world, where people aggregate this data and they sell packages to advertising
and marketing firms, and they broker this data out for legitimate purposes.
But what's happening here essentially is there's somebody
who's kind of running maybe a syndicate or a group that deals with selling this type of data or
derivatives of this data for nefarious purposes. They enlist somebody like an insider or potentially
a threat actor, maybe a hacker, if you want to use that
term, to go and gather up this data, extract large sets of information. Then they push that data
through middlemen on the cybercrime underground, or what some people will say, maybe the dark web.
We don't really use that term. And they sell that to threat actors who want that data, who are running
scams. Maybe it's a phishing scam, could be a malware campaign to target specific type, specific
people. So essentially, just to cover the process very quickly, you know, somebody, there's a group
of people who deal in selling this type of data. They'll go and enlist somebody to get a set
of information that they want from, let's say, like a service provider who has a giant data lake
of information. They extract the pieces they want. They push it through a middleman to the actual
threat actors who will monetize that data through a variety of different types of scams.
And is this primarily Chinese organizations focusing on the
data of other Chinese nationals or are they, is, you know, is our data from other people around
the world, is that being looped into this as well? Yeah, I mean, in the specific example of the
research we're doing, this is all pretty well contained. I think there is data probably because of the advent of the Chinese
technology, as you would say, diaspora, across the
world. Certainly there is some data from outside
of China in there, and it's very, very likely that this is taking place
this same scenario is taking place in other parts of the
world. But in this particular report,
in this case, it was focused almost completely on inside of China. It's an interesting time to
have a report like this because at least with a lot of people I talk to, you know, the notion of
all the data being gathered on us as individuals and what it's being used for, how it's being monetized, even legally,
is seem to be causing a lot of heartburn with many people,
even in the lay public.
It's interesting to see this report come to light that not only is it used for legal profiteering,
but also illegal profiteering.
It really doesn't come as a surprise to most of us,
but it's just kind of interesting timing, I guess is all I'll say.
Yeah, when it's sort of laid bare there,
I guess it confirms a lot of people's suspicions.
One more bit of data to put in your bin.
Yeah, I guess it kind of follows the old adage
that nothing in life really is free, right?
That's right.
You're going one way or the other.
That's Brandon Hoffman from Intel 471.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Malek Bensalem.
She is the Technology Research Director for Security at Accenture.
It is always great to have you back.
I wanted to talk to you today about some work that I know you and your team have been focusing on.
And this is the remediation of vulnerabilities, but using artificial intelligence.
What can you share with us today?
Yeah, so we noticed that a lot of our clients are struggling with remediating vulnerabilities
that are found through the different application security tests that they perform.
We know that application development teams are responding just to the highly critical
vulnerabilities that are found through these tests and that they cannot find the time to
remediate all of the vulnerabilities.
So we wanted to assist them and look at the use of machine learning and AI in general to help them with this task.
We've worked with one of our clients and we've taken basically all of their vulnerabilities in their environment and identified the most frequent ones, and started looking at how can we automatically generate and suggest
remediated code for them so that the development teams can take the remediated code and just
review it and apply it or include it in their code.
And that went pretty well.
So we've been working at this for a few months now.
And, you know, we've performed a field test with this client.
And we found that we're able, or the AI is able to automatically remediate 60% of the vulnerabilities,
of the Java vulnerabilities within their environment, just using a few of the vulnerabilities of the java vulnerabilities within their environment just
using a few of the ai models so this was very encouraging for us i think what we will do is
expand that to other java vulnerabilities and expanding that ai also to handle vulnerabilities in other programming languages as well.
Is there an adjustment period that developers have to go through when interacting with a system like this?
I mean, I can imagine folks not naturally responding in a generous way when an AI tells them that they need to make some adjustments to their code.
generous way when an AI tells them that they need to make some adjustments to their code.
Yes, absolutely. I think deploying something like this within a development environment will take some adjustment time, which is why we've taken a phased approach to this.
In our first field test, what we've done is generate these suggested outdoor remediations and send them to
the application development team so that they can review them and then that they can gain basically
trust into the AI and its recommendations. And the response we've received is outstanding. All the application teams that we've been working with have been thrilled to get these remediations because they save them a lot of time.
I think as more confidence is gained, as more trust is gained into these recommendations generated by our AI system,
recommendations generated by our AI system, we can move on into automatically deploying these remediations and integrating them with the code so that we can perform the unit tests and
move on with the development pipeline. So yes, I think it takes time. But so far, the response we've received is
great. Some of our metrics show
that just generating these remediations
save the development teams two hours per
vulnerability. So that time researching
what is the vulnerability about and how can I
remediate it, et cetera. So it saves them per vulnerability. That is amazing. Knowing that,
you know, there are hundreds of thousands of vulnerabilities that these application teams
have to deal with. That's huge. And automatically deploying the remediation to the code, that will save five hours of
development of developer and tester time. So there are even more savings to be gained
if this entire process can be completely automated.
So where do you suppose this is heading? I mean, what's the, I guess I'm trying to imagine the point of equilibrium.
When this is up and running, ideally, what do you have in your mind's eye?
Well, when this is up and running, I think this will save development time
so that the developers can really focus on what they do best, right?
And what's generating more value for the company, which is developing code and
working on their applications as opposed to running around fixing vulnerabilities.
So that is the purpose.
And also, by the AI generating these remediations for the developers in code,
our intent is that they will learn by looking at the right code or the non-vulnerable code,
they will learn the way to write code in a secure manner.
So over time, not only are we fixing vulnerabilities,
but we're also teaching the developers on how to write secure code.
And then the proper code goes in their library,
goes into their bag of tricks.
Exactly.
Yeah.
Absolutely.
Yeah, fascinating stuff.
All right, well, Malek Ben-Salem, as always,
thanks for joining us.
Thank you. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.