CyberWire Daily - More malware deployed in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks.
Episode Date: May 4, 2022An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corpora...te networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of "shields up." Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/86 Selected reading. Update on cyber activity in Eastern Europe (Google) Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop) Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future) SolarWinds hackers set up phony media outlets to trick targets (CyberScoop) SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future) Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat) Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus) Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason) Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN) Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future) The Hermit Kingdom’s Ransomware Play (Trellix) New espionage group is targeting corporate M&A (TechCrunch) Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek) UNC3524: Eye Spy on Your Email (Mandiant) Yokogawa CENTUM and ProSafe-RS (CISA) Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An upswing in malware deployed against targets in Eastern Europe,
CozyBear is typo squatting.
Kukubis swarm around intellectual property.
Tracking the DPRK's hackers.
Quiet persistence in corporate networks.
CISA issues an ISC advisory.
Caleb Barlow on communications for your business during this period of Shields Up.
Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist rainbow vulnerability.
And hey, officer, honest, it was just a squirtle.
From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Wednesday, May 4th, 2022. deployed against targets in Eastern Europe. The surge is connected with Russia's war against Ukraine. Google's threat analysis group has been tracking the increased activity,
much of it traceable to Russia, and especially to Fancy Bear, Russia's GRU military intelligence
service, but some of it involving the more or less Russia-aligned Belarusian and Chinese services.
Some of Google's key conclusions are, Edge, and Firefox browsers.
Turla, a group TAG attributes to Russia FSB, continues to run campaigns against the Baltics,
targeting defense and cybersecurity organizations in the region.
Similar to recently observed activity, these campaigns were sent via email and contained a unique link per target that led to a.docx file hosted on attacker-controlled infrastructure.
When opened, the.docx file would attempt to download a unique PNG file from the same attacker-controlled domain.
Coldriver, a Russian-based threat actor sometimes referred to as Callisto,
continues to use Gmail accounts to send credential-phishing emails to a variety of Google and non-Google accounts. The targets include government and defense officials, politicians, NGOs, think tanks, and journalists.
The group's tactics, techniques, and procedures for these campaigns have shifted slightly
from including phishing links directly in the email to also linking to PDFs and or docs
hosted by Google Drive and Microsoft OneDrive.
Within these files is a link to an attacker-controlled phishing domain.
Ghostwriter, a Belarusian threat actor, has remained active during the course of the war
and recently resumed targeting of Gmail accounts via credential phishing.
The campaign, targeting high-risk individuals in Ukraine,
contained links leading to compromised websites where the first-stage phishing page was hosted.
If the user clicked continue, they would be redirected to an attacker-controlled site that collected the user's
credentials. Finally, there's Curious George, who's curious about both sides of the conflict
and is prospecting Russian targets as much as any other. Curious George, a group tag attributed to
China's PLA SSF, has remained active against government, military,
logistics, and manufacturing organizations in Ukraine, Russia, and Central Asia.
In Russia, long-running campaigns against multiple government organizations have continued,
including the Ministry of Foreign Affairs.
Over the past week, TAG identified additional compromises impacting multiple Russian defense
contractors, manufacturers, and a Russian logistics company. The initial approach of all of these groups has tended to
be through email phishing. Recorded Future describes a cyber espionage campaign operated
by Nobelium, that is, Cozy Bear, Russia's SVR foreign intelligence service. The researchers
call the command and control infrastructure the SVR is using solar deflection,
and they summarize four key conclusions about the state and prospects of the campaign.
Insik Group is confident that the identified solar deflection infrastructure can be attributed to the threat activity group publicly reported as Nobelium.
This confidence is based on the use of overlapping network infrastructure previously attributed to Nobelium in public reporting, as well as unique variations of Cobalt Strike traditionally used by the group.
Broader themes in Solar Deflection C2 typosquats have included the misuse of brands across multiple
industry verticals, particularly in the news and media industries. Cobalt Strike servers related
to solar deflection monitoring that were also
previously linked to Nobelium activity used modified server configurations, likely an attempt
to remain undetected from researchers actively scanning for standard Cobalt Strike server features.
Finally, Nobelium has made extensive use of typosquat domain and SSL certificates and will
likely continue to use deceptive techniques,
including typo squat redirection when using cobalt strike tooling.
The SVR's mission is the collection of strategic intelligence. It's believed,
Cyberscoop points out, to have been the agency behind much of last year's SolarWinds exploitation.
Typo squatting involves the creation of a domain name that closely resembles one owned and operated by a legitimate organization. Cyber Reason today described Cuckoobies, which it characterizes as a massive Chinese cyber espionage effort directed at stealing U.S. firms' intellectual
property. Cyber Reason attributes the activity, with medium to high confidence, to China's Winti
threat group. Researchers at Trellix reported yesterday that North Korea's army
has made another foray into the ransomware market. It's no news that the DPRK has long
engaged in financially motivated cybercrime, but Trellix has tied four strains of ransomware,
BEAF, PXJ, ZZZZ, and Qiqi to Pyongyang's Unit 180, also known as APT38, and the Lazarus Group.
to Pyongyang's Unit 180, also known as APT38, and the Lazarus Group.
The New Yorker boggles at the group's incredible rise,
but Unit 180 has been known for some time.
Trellick speculates that the East Asian target set being prospected in these recent campaigns,
and the campaign's relatively small and selective scale,
suggests that Unit 180 is seeking to determine whether there's a good chance of profit from a resurgent ransomware effort. Mandiant is tracking a cyber espionage group it tracks as UNC3524 that has taken an
interest in corporate email accounts associated with companies engaged in large financial
transactions, especially those related to mergers and acquisitions. UNC3524 is noteworthy for its
ability to achieve undetected persistence in targeted
networks, an ability Mandian attributes to the novel backdoor Quiet Exit, which has enabled the
threat actor to establish itself for as long as 18 months before being detected. While the
researchers find overlaps in technique between the threat actor in both Cozy Bear and Fancy Bear,
they so far lack sufficient evidence for definitive attribution.
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, yesterday issued
an Industrial Control System advisory for Yokogawa Centum and ProSafe RS.
And finally, back in 2017, two LAPD police officers failed to respond to a radio call
alerting them to a robbery in progress at a
California Macy's in the Crenshaw Mall. They later said they never heard the call because there was
loud music blasting over the PA system in the Crenshaw Park. But a review of their digital
in-car video system told a different story. According to Graham Cluley of Smashing Security,
quote, the truth was they had deliberately ignored the call for assistance. They weren't
interested in catching robbers.
They were hunting for Snorlax and Tojetics.
That is, they were chasing Pokemon.
The officers in their defense in the subsequent investigation
say they were only talking about the game, not actually playing it.
But the Los Angeles Police Department didn't buy that.
Let the one who's never tamed a Charmander cast the first Ultra Ball.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
A substantial amount of research is focused on the realm of quantum computers,
systems which take advantage of quantum effects to crunch math problems too difficult for modern conventional computers.
NIST is in the midst of evaluating candidates for post-quantum cryptography,
trying to strike a reasonable balance between security and interoperability with existing networks.
It's what those in the industry refer to as a big deal.
And it's not easy.
I checked in with Duncan Jones, head of cybersecurity at Cambridge Quantum,
for a bit of a reality check.
It's a huge task, to be honest,
and it worries me a little how much work lies ahead
because we have to tear out the guts
of almost every cybersecurity system
and change to something that is a bit different.
It has different properties, behaves slightly differently,
different sizes of keys and things.
It's not a completely trivial replacement.
And what we've discovered in the past
when people have tried to do far simpler migrations,
so for example, we've seen cryptographic hash functions
fall out of favor over recent years.
And despite five or ten years of awareness
that something like MD5 is broken,
we still see it in use.
And that's because it takes a lot of effort
to make these changes.
And usually for a company, the first challenge
is to establish even what they
are using today and where they're using it. So I think the next, you know, the most important
task companies will be needing to focus on in the next few years is just understanding
their estate. You know, where are they actually using cryptography? What type of cryptography
are they using? What data is being
protected? Because companies are going to have to prioritize the way that they perform this
transition. You can't do everything at once. And so you're going to have to evaluate where are you
most at risk and focus your efforts there. And on top of that, speaking to vendors. And that's
really important, because
many companies will have some combination of the things they build themselves and the things they
buy in. And those conversations with the vendors need to be starting now, or they should have
already started, to really grill them and say, well, what is your strategy for moving your product
from where it is today to something that is quantum safe?
product from where it is today to something that is quantum safe. Is there a target date that people should focus for? Is there a realistic timeline on this? So there's two ways to look at that, I think.
There is no one agreed date that everybody says, yes, that is the point where we're going to be
at risk. And estimates vary widely. I think most people are now starting to settle on
10 or 15 years as a pretty reasonable time frame. Now, one thing though that people need to consider
is that's maybe the point in time where somebody's going to be sat there with a
quantum computer ready to break the data that you're sending around.
But something that really concerns some companies is the idea that the data that they are sending today is potentially being recorded patiently by attackers who know this is a long game,
but they know that in 10 or 15 years, they can break into the stuff that they recorded today.
10 or 15 years, they can break into the stuff that they recorded today.
And so for some companies, that's quite concerning because they know they're sharing data that will still be sensitive
and valuable in 10 years.
And this is something that is known as a hack now, decrypt later attack.
And for that reason, people need to be doing these threat assessments
and deciding where are they exposed to that type of risk.
Because in those scenarios, they need to move really fast because they may already be too late.
You know, in a world where cryptography is fairly routine these days,
we encrypt the contents of our mobile devices, our hard drives, our, you know, it is routine.
We have hardware built into our devices
to handle these sorts of things.
Is it at all an issue that post-quantum cryptography
could be computationally expensive?
Have we outstripped that issue?
Do we have the computational power
that that's not going to really cost us
anything? I think for the most part, yes. I think these algorithms are being selected
with the understanding that we're going to have to be able to execute them on the equipment that
we have. Some specialist equipment is built to speed up these algorithms. And obviously,
everything that's in the field right now has been geared towards speeding up RSA, for example,
that has particular mathematical operations that you have to do. And people have figured out how
to do that blazingly fast. So at a hardware level, there will need to potentially be some
changes.
We'll have to accelerate different types of mathematical problems.
On the whole, people have gone into this with their eyes open.
They know that it's not going to be a successful selection process
if we end up with algorithms that we just can't use in our day-to-day lives.
Are you optimistic that people are giving this the attention it deserves?
I'm a little nervous
I think people are underestimating both the hack now decrypt later part of that
I think that's being underestimated or being perceived as kind of science fiction
and not a thing that will actually happen
whereas I think we will genuinely see examples of that happening
and I think they are underestimating or being optimistic
about how long it's going to take to perform this migration.
So I guess I'm lightly pessimistic is where I'd place myself at the moment.
That's Duncan Jones from Cambridge Quantum. Thank you. to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by CyberWire contributor Caleb Barlow.
Caleb, always great to welcome you back to the show.
You know, we are in this period of what CISA is calling shields up, a heightened sense of awareness and security when it comes to cybersecurity things.
wanted to touch base with you about what this means in terms of strategies for organizations to sustain themselves should the worst happen. Well, one of the things we have seen, largely not in
the U.S., but certainly, you know, the NotPetya, WannaCry, even, you know, the Shamoon attacks that
went across oil-producing Gulf states is when a destructive attack occurs,
sometimes even in the case of ransomware, one of the impacts that businesses often see is a loss
of communications, right? So loss of email systems, loss of IT and networks, which also often means
loss of phones because the phones are usually voice over IP now. So, you know, this can be a
rather material secondary
impact that a lot of organizations aren't prepared for. And I think as we think about what it means
to be shields up, one of the conversations is to think about what are our emergency communications
and how do we get in contact with key employees or key locations, both to give direction,
but also to get ground truth of what's really going on.
You know, I'm old enough to remember growing up with things like Little League Baseball,
and we had phone trees, you know, where if there was a question as to whether the
game was going to be canceled because of weather or something like that,
you know, you had a phone tree. And so this person would call this person,
would call this person, and it just kind of worked.
What's the modern equivalent of that?
Is there such a thing?
Well, I think we've moved beyond phone trees, although I definitely do remember those, even though I don't want to date myself.
Right.
But think of it this way, right?
A great example of this was when NotPayItTay hit Maersk, and this is public, their executives were communicating via WhatsApp because it's the only thing that worked. Imagine that, a company that size and you're now reduced
to WhatsApp. So first thing, you need a method of communications that's not on your IT and not on
your network. I personally think Slack is a great backup for this, but here's the other point.
Make sure that whatever you're using for single sign-on, which probably is dependent on
your IT infrastructure, is not what you need to log into that emergency communication system.
You want to have an alternative directory that's not on your company's infrastructure. No,
you cannot get to SharePoint and your active directory when it's all down. So that can be
as simple, depending on the size of a company, of having a spreadsheet that you print out and put
in your underwear drawer with everybody's cell phone number, right? Or it could be something more complex where,
you know, you've got a secondary site that has maybe a copy of your active directory in another
form so you can get to it if you need to. A lot of companies are using emergency communication
systems, you know, similar to what you might have at a school for an active shooter or snow day,
you know, similar to what you might have at a school for an active shooter or snow day,
where you can reach out to anybody, home, office, cell, it all rings at the same time to be able to say, hey, you know, there's been a cyber incident at work. We need you to get on this, you know,
emergency Zoom call. Here's the number. You want to make sure you remember those passcodes. Like,
I can't tell you how many, you know, I used to love doing
this in kind of like cyber range scenarios where, you know, I'd read their, their pre-plans and
there would always be, oh, well, in the event of an emergency, we will get on the emergency Zoom
meeting. Great. What's the password to that? I have no idea. Like, all right, well, your plan
suddenly doesn't work, right? Because you've got no way to give everybody the new number to
dial into. The other thing, Dave, is there's something from the Department of Homeland
Security called the Government Emergency Telecommunication Service. You can sign up for
this if you are a critical infrastructure provider. You can also sign up for it through InfraGard.
This will allow you to bypass the phone system, you know, and particularly the cellular network in order to get access in a 911-level incident where everybody's trying to call everybody.
Right.
You get priority access to set-aside frequencies, right?
Correct.
Well, or at least access to the network.
It's basically a little credit card you carry with you.
It doesn't cost anything unless you use it.
with you. It doesn't cost anything unless you use it. Now, the advanced class on this, which I've used before, you know, if you have critical sites that you need ground truth on, satellite phones
are super cheap now. I mean, you know, you can buy a satellite phone with a ridiculously high
rate per minute. You don't care if you actually use it. Put a satellite phone at a couple of
your locations and you know that's
going to work when everything else is down. And the last thing I'll give you is the most extreme
example I've ever seen, which was, you know, the geeky side of me thinks it's pretty awesome. But
it was this large bank I was working with that moved, you know, gazillions of dollars every day.
And their concern was in the event of a major catastrophe, they needed ground
truth. Now that could be everything from a weather event to an explosion to a cyber event.
They put a vehicle at an employee's house about 60 minutes away from their major sites. And the
deal was, if we can't get to the site, you're to get in the car and drive there and tell us what's
going on. And that car had satellite communications, run books. Now this was a
little expensive, but if you're moving gazillions of dollars a day, you need immediate ground truth
to know, do I need to start making decisions? And it kind of gives you the extreme of where
you can take this. Yeah. As a friend of mine puts it, who was in the insurance business,
he said, imagine a wily coyote smoking hole in the ground. You know, you got to know if that's what you're up against or not, right?
But we don't want to start that process if it's, oh, somebody hit a telephone pole outside of the business and the power will be back up and running in 20 minutes.
Those are two very different decisions.
But if you don't have ground truth, you don't know what to do.
And for them, spending, I don't know, 50 grand on a Ford Explorer to get the information was a drop in the bucket relative to the cost of making the wrong decision.
Right, right. You hope you never need it, but if you're in that situation, boy, that's the last point in time when you want to be trying to make those decisions, right? In the heat of the moment.
Well, and my point here is if you can't communicate, you can't put it together.
I mean, that's the most basic thing here is you can put a lot together just, you know, kind of rolling with it if you can communicate.
If you can't communicate, you're just a, you know, you're a fish in a barrel.
Right, right.
All right.
Well, certainly food for thought.
Caleb Barlow, thanks for joining us. Thank you. Ellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick
Howard, Peter Kilpie, and I'm Trey Hester, filling in for Dave Bittner. Thanks for listening. See you
back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.