CyberWire Daily - Lebanon Cedar’s wide-ranging cyberespionage campaign. Lazarus Group said to be behind the social engineering of vulnerability researchers. Solorigate spreads. Social media and the short squeeze.
Episode Date: January 29, 2021Lebanon Cedar is quietly back, and running a cyberespionage campaign through vulnerable servers. Social engineering of vulnerability researchers is now attributed to the Lazarus Group. That “SolarWi...nds” incident is a lot bigger than SolarWinds. Notes on social media and the short squeeze. Verizon’s Chris Novak looks at the changing landscape of ransomware payments. Our guest Professor Brian Gant from Maryville University examines cybersecurity threats of the new U.S. administration. And the GAO thinks the US State Department should use “data and evidence.” For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/19 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Lebanon's Cedar is quietly back in running a cyber espionage campaign through vulnerable servers.
Social engineering of vulnerability researchers is now attributed to the Lazarus Group.
That SolarWinds incident is a lot bigger than SolarWinds.
Notes on social media and the short squeeze.
Verizon's Chris Novak looks at the changing landscape of ransomware payments.
Our guest, Professor Brian Gant from Maryville University,
examines cybersecurity threats
of the new U.S. administration.
And the GAO thinks the U.S. State Department
should use data and evidence.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 29th, 2021.
Clear Sky researchers have outlined cyber incursions they attribute to Lebanon's CEDAR,
also known as Volatile CEDAR.
It's a threat actor in Lebanon,
believed to be associated with the Hezbollah faction that operates from that country,
although earlier reports from security company Checkpoint
have reported seeing connections between the group and the government of Lebanon.
In any case, the group is said to be motivated by political and ideological interests,
and it casts a very large net in the information it collects.
Lebanon's Cedar has prospected targets in the United States,
the United Kingdom, Egypt, Jordan, Lebanon, Israel, and the Palestinian Authority.
Lebanon, Israel, and the Palestinian Authority.
Lebanon's Cedar is using a new version of the explosive V4 RAT and the Caterpillar V2 web shell installed in vulnerable servers.
Many of the victims were telecommunications providers.
More than 250 servers were compromised in the campaign.
Clear Sky regards the use of the explosive R rat as the smoking gun of attribution.
As the firm puts it in their report, quote, we attributed the operation to Lebanese cedar,
also known as volatile cedar, mainly based on the code overlaps between the 2015 variants of
explosive rat and caterpillar web shell to the 2020 variants of these malicious files.
We identified a high degree of similarity between the rat we identified to the 2020 variants of these malicious files. We identified a high degree of similarity
between the rat we identified to the original explosive rat, end quote. No one else, they say,
uses it. Lebanon's Cedar has been active since around 2012 and has acquired a reputation for
circumspection, proving itself to be both unobtrusive and effective. It had been quiet for the last couple of years, but it's now apparently resurfaced.
Microsoft has attributed the recently exposed long-con social engineering of vulnerability
researchers to the North Korean group Microsoft calls Zinc, and most others know as the Lazarus
Group. To recap some background on the incident,
this Monday, Google's Threat Analysis Group reported that a North Korean threat actor
had been engaged in a social engineering campaign that targeted vulnerability researchers.
The campaign represented a significant advance in subtlety and craft on Pyongyang's part,
a departure from the noisy smash-and-grab hacking so often attributed to the DPRK.
The threat actors created research blogs and multiple Twitter persona
that they used to discuss various publicly known vulnerabilities,
often claiming successful development of proof-of-concept exploits.
The Register aptly called the campaign a long con.
The goal was espionage and not the direct financial theft
that's frequently the objective of North Korean cyber operations.
As far as Microsoft's report is concerned,
it confirms much of what Google's researchers had concluded about the threat actors' methods.
Microsoft writes, quote,
After building their reputation across their established social media accounts,
the actors started approaching potential targets on social media platforms such as Twitter and LinkedIn.
The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques.
If the researcher was responsive, the actor would offer to move communication to another platform, such as email or Discord,
in some cases to then send files using encrypted or PGP-protected ZIPs.
Redmond provides a set of indicators of compromise, and they offer some advice for those who might be affected.
Should you have visited one of the blogs owned and operated by Zinc, Microsoft's report
has a list of them.
You'll do well to run a full anti-malware scan and use the provided IOCs to check your systems for intrusion.
If you find any of Zynq's malware,
assume your system is fully compromised and rebuild it.
To avoid being hit by something like this,
Microsoft advises security professionals to use a virtual machine
when they're building
untrusted projects in Visual Studio or when they're opening links or files sent by parties unknown.
The Wall Street Journal reports that the threat actor behind the SolarWinds supply chain
compromise, probably a Russian intelligence service, will touch a very large number of
victims. About a third of those affected
by the incident don't use the afflicted SolarWinds Orion platform. CRN quotes industry sources to the
effect that there's no finish line for cleaning up after this campaign. Acting CISA Director Wales
said, according to the journal, that the attackers gained access to their targets in a variety of
ways. This adversary has been creative.
It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.
End quote.
That is, this particular huggy bear was patient and foxy,
knowing many things as opposed to just one big thing.
The threat actor was able to move from one cloud to another, If you remember other similar attacks against cloud services,
notably China's 2016 Cloud Hopper industrial espionage campaign,
and think that this is the same old thing, that seems not to be the case.
CISA doesn't think so, at least.
Acting Director Wales said the Soloragate campaign
was substantially more significant than Cloudhopper.
The journal quotes him as saying,
We continue to maintain that this is an espionage campaign
designed for long-term intelligence collection.
That said, when you compromise an agency's authentication infrastructure,
there is a lot of damage you could do.
After some retail trading platforms, notably the ironically named Robinhood, suspended, then resumed trading in GameStop and a few other heavily shorted stocks,
it remains unclear what the self-organized social media booktalkers did that was illegal,
if indeed it was anything at all.
Criticism of the trading suspensions was in the U.S., surprisingly bipartisan, CNBC says, with left- and right-wing members of Congress seeing no crime in retail investors
winning their bets at the expense of hedge funds' wagers.
It's a novel phenomenon, and the SEC is seeking understanding.
Robinhood is getting killed in online reviews by a whole lot of people
who think its app is more like the kind of thing the Sheriff of Nottingham would run
on behalf of Prince John.
The U.S. Government Accountability Officer recommends that the State Department
rethink its plans for a cybersecurity bureau.
It's not a bad idea, says the GAO, but Foggy Bottom needs to think its plans through.
GAO's report says, quote,
The United States faces expanding cyber threats and the challenge of building international consensus on standards for acceptable state behavior in cyberspace, end quote.
for acceptable state behavior in cyberspace, end quote.
It would like to see more data and evidence that would support the State Department's presumed belief
that a new bureau could identify objectives and meet them,
quote, without developing evidence
to support its proposal for the new bureau,
state lacks needed assurance
that the proposal will effectively set priorities
and allocate appropriate resources for the bureau
to achieve its intended goals, end quote. So go get them some data and evidence. Who could object to that?
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more. programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives
and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Professor Brian Gant is an instructor of cybersecurity at Maryville University.
Prior to his teaching career, he served in both the FBI and the Secret Service,
protecting the Clinton administration from both physical and cyber threats.
Dr. Gant joins us with thoughts on the challenges President Biden and his team face
as they bring their cyber strategies into focus.
Well, as he comes into office, you
know, with the unfortunate events that happened at the Capitol with the Capitol breach, I think
national security and domestic terrorism should be the items, you know, in the forefront,
you know, as he comes into office. Attackers or threat actors, as we call them in the cybersecurity world, their main objective
may be to just demonstrate that the U.S. is in chaos in terms of the different groups
between the left and the right, a lot of the domestic terrorism that's occurring, militias and things of that nature.
And they may just want to seek to attack national news outlets like CNN or Fox News,
or they may go after government websites, OPM, DOD, White House websites, things of that nature,
IMDb, DOD, White House websites, things of that nature, to cause any kind of disruption,
knowing that the Capitol insurrection was successful and just seeing that the disruption that it caused. What is your expectation here? Are you hopeful that President Biden is going
to have a good handle on this? From what you've seen as an
observer, the team, the names that he's mentioning, is this cause for hope?
Yeah, it's definitely cause for hope. It seems as though his experience as a former vice president, will kind of give him a leg up on those intel briefings and reaching out to local,
federal and state partners to see what he can do to not only beef up the physical, but also the cybersecurity presence of this country.
I was fortunate enough to guard President or Vice President Biden during my time as a Secret
Service agent. And he was known to be very adept at reading those intel subcommittee reports from
Congress and acting on them where it needed to be. So just in what I've seen in the last four
or five days in terms of the number of National Guard troops and number of law enforcement officials who will be on hand and and this, you know, the inauguration is considered an NSSE event, which is a national security event.
So the impact and the ramping up of incident management is much easier when you have it that NSSE designation.
You know, it's interesting when we had the riot at the Capitol, it was really an intersection of
physical security and cybersecurity, but particularly in that, you know, the way that
some of those computer systems were accessed, you know, people didn't have time to log out of machines,
and we even have reports of some machines possibly being stolen.
Now, it strikes me with your background, having been with the FBI
and then also the Secret Service, that, you know,
that intersection of physical security is something that's within your experience
that perhaps a lot of folks in cyber don't always think
about. Absolutely. You hit the nail right on the head. Cybersecurity and physical security
go hand in hand. And it's one of the things that I tell my students here at the university.
You may think that they are two separate departments, but the liaison between the two,
the better relationship you have with your physical security department and understanding physical security access to critical infrastructures and things of that nature, the better job you'll have at layers of protection.
Security is all about layers.
And that's one thing that the Capitol did not have.
It did not have those protective rings. It did not have the physical bike rack pushed out far enough.
It did not have the additional physical presence of National Guard troops or law enforcement officers surrounding that ring.
ring. And sometimes it's just as simple as putting a physical body outside of a server closet that houses some protective information. So understanding the correlation between the two and accepting it
will only enhance your security plan. That's Professor Brian Gant from Maryville University.
There is a lot more to our interview.
Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro.
It's on our website, thecyberwire.com.
Cyber threats are evolving every second. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Chris Novak.
He is the Global Director for Verizon's Threat Research Advisory Center.
Chris, it is always great to have you back.
I wanted to touch today
on ransomware and some of the things that you and your team are tracking when it comes to the
evolution of ransomware, what you're seeing on the payment side and with ransomware in general.
What can you share with us today? Yeah, thanks, Dave. Great to be back. And it's interesting,
this is an area of research that we've done for quite a bit of time. You know, we've been looking at ransomware and it's kind of almost, I don't know if I want
to say comical because it's so bad at the same time. But when we first started doing research
into the area of ransomware many, many years ago, it was kind of one of those, hey, we should keep
an eye on this. This might actually become something, but right now we're not really
seeing all that much. And then as the years went
on, we kind of saw it go from not making our top 10 list to rapidly moving up the list to now where
it is, you know, essentially at the top of the charts in terms of the commonality of it. And,
you know, one of the things that we keep seeing is, especially when we look at some of, you know,
like federal agencies and public sector, you know, we're seeing a fair
bit of attacks against them, as well as obviously also the private sector. But, you know, if you
look at that and you see, you know, we surveyed a number of federal agencies and about 30% of them
had responded that they had fallen victim to ransomware attack. And again, you know, I think
there's some number of these that, you know, like many attacks that may be underreported, but the landscape there is changing dramatically
because we're also seeing all of this being complicated further by things like COVID,
where we're seeing that as being used as a foothold or an attractant to say, hey, you know,
how do we get people to click on a link? How do we get people to download something? How do we get people to share information? We tell them we have masks, we have tests, we have vaccines, we have, you know, and all sorts of crazy things that we'll see. But if we look at kind of the terminology of all the different things in various, you know, social engineering campaigns, we're seeing that that is very high on the list of what they're using these days in terms of COVID-related scams to get a foothold to deploy the ransomware.
And then the other thing I'd also say that's kind of a complicating factor that we're seeing on the rise is, do you pay or do you not?
Right, right.
Yeah, I was going to – that's where I was going to go next with you because, you know, at the outset, the initial advice from folks like the FBI and sort of across the landscape was don't pay the ransom.
You're only encouraging them and so on and so forth.
But now it seems to me like it's more complicated than that.
People have insurance.
And the dollar amounts, the ability to restore, even if you have backups, I mean, it's not so cut and dry these days.
Yeah, you're 100% right on that.
You know, a lot of times I get that question of,
you know, what should we do?
And I'm like, look, I'll give you as much advice
and guidance based on past experience
of what I've seen happen elsewhere.
But at the end of the day,
everybody needs to make their own decision, right?
It's like your own personal self.
You need to ultimately decide what you're going to do.
And it's interesting because when we look at that, you know, one, there's the possibility of,
hey, if you pay, does that make you an interesting target? Does it mean someone else is going to come
after you? Because they know you're likely to pay. Or in some cases, you mentioned cyber insurance.
We're actually seeing attackers getting wise to the fact that, hey, you know what?
If you have insurance, well, heck, you're not even
going to, quote, feel this, right? And everyone likes to talk about when insurance pays, people
kind of refer to it as a victimless crime. And I would imagine the insurance companies would
beg to differ. But that is obviously playing into their calculus now of, well, if more organizations
have insurance and we can get that to pay, then let's go ahead and ask for larger ransoms. Or in some cases,
even trying to figure out what coverage limits an organization might have in order to figure out
how much they should ask for. And it gets even more complicated than that is in some cases,
you pay the ransom, you don't necessarily get your data back or it doesn't necessarily stop
them from publishing it, right? At the end of the day, you're still dealing with criminals
here. What's your sense for the near horizon? I mean, is it the way that things stand right now?
Is that pretty much the state of things? Are we kind of in equilibrium, you know, with it's hard
to know if things are getting better or worse, but it seems certain that for the moment they're here to stay. Yeah, I'd say that that's a fairly accurate assessment of it.
I would say that we are probably, I would say we're at a steady state. I think it's not getting
horribly worse, but I don't think it's getting dramatically better at the same time. And I think
part of it is organizations are still trying to figure out what is the right thing to do.
The one thing that I am happy to see, if you will, is that we're seeing more and more requests for organizations wanting to do things like establish a ransomware playbook or do things like ransomware simulations so they can understand if something like this were to happen, what it might be like and how their response might hold up. Because I think that's an issue that a lot of organizations tend to feel like, hey, you
know, as crazy as it may sound, some of them are still kind of flying by the seat of their
pants in terms of what are we going to do if this happens?
And then once it happens, all of a sudden they realize, you know, we have to shut down
the office because nothing works.
What are we going to do?
And I mean, I've even seen some organizations that they've said, hey, we're not worried.
We've got great backups. And then I'll ask, well, when was the last time you did a ransomware situation?
Because this is not just let's restore one PC from backup, right? This could be dozens, hundreds,
thousands, who knows? Have you ever actually done a ransomware simulation? Because the thing I've
seen happen is organizations just trust that they have backups, and then they go to do the restore, and they realize, oh, my God, this is going to take us weeks to restore this data.
And all of a sudden, they're like, wow, this may not actually be less expensive than paying the ransom.
Yeah, yeah.
All right.
Well, Chris Novak, thanks for joining us.
You bet. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Spread a little sunshine.
Listen for us on your Alexa smart speaker, too.
If you're wondering what to do with yourself this weekend,
well, take some time and check out Research Saturday,
my conversation with Yonatan Stream Amit.
He's from Cyber Reason's Nocturnus Research Team.
We're going to be focusing on their work on the Kimsuki Cyber Espionage Group.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Guru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Errol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your