CyberWire Daily - Multiple Cozy Bear sightings (at least the bear tracks). Spyware in a Chinese employee benefits app. Phishing campaigns. DoppelPaymer rebrands. And ignore that bot--it hasn’t been watching you surf.
Episode Date: July 30, 2021Cozy Bear’s active command-and-control servers are found, and people conclude that Moscow’s not too worried about American retaliation after all. Spyware found in an app for companies doing busine...ss in China. What to make (and not make) of the Iranian documents Sky News received. Phishing with Crimean bait. HTML smuggling may be enjoying a moderate surge. DoppelPaymer rebrands. Andrea Little Limbago from Interos on growing the next-gen of cyber. Our guest is Jamil Jaffer from IronNet Cybersecurity protecting the BlackHat Network Operations Center. And good news--that blackmailing bot really doesn’t know what you did this summer. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/146 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cozy Bear's active command and control servers are found,
and people conclude that Moscow's not too worried about American retaliation after all.
Spyware's found in an app for companies doing business in China.
What to make and not make of the Iranian document Sky News received.
Fishing with Crimean bait.
HTML smuggling may be enjoying a moderate surge.
Doppel-Pamer rebrands.
Andrea Little-Limbago from Interos on growing the next generation of cyber. Smuggling may be enjoying a moderate surge. Doppelpaymer rebrands.
Andrea Little-Limbago from Interos on growing the next generation of cyber.
Our guest is Jamil Jaffer from IronNet Cybersecurity on protecting the Black Hat Network Operations Center.
And good news, that blackmailing bot really does not know what you did last summer. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, July 30th, 2021. Security firm RiskIQ this morning reported having identified more than 30 active APT29
command and control servers delivering well-mess and well-mail malware, espionage tools CISA
identified last year as particularly active against COVID-19 vaccine development efforts
in the UK, Canada, and the US. APT29, also commonly known as Cozy Bear, is of course
generally associated with Russia's SVR. Bloomberg sees the discovery as evidence that Russia isn't taking U.S. complaints of cyberactivity
targeting critical sectors particularly seriously.
Indeed, the Russian embassy in Washington was positively blasé,
simply referring inquirers to their earlier statement that people should avoid sweeping accusations,
and saying that further discussions with the U.S. would surely improve the security of the
information infrastructure of our countries. Kevin Lovelli, RISC-IQ's Director of Threat
Intelligence, told Bloomberg, quote, often when an APT group receives a lot of public attention,
either in security research or politically, it goes to ground for a bit until the heat is off.
Our findings show that APT29 is back to business as usual, despite widespread exposure in the SolarWinds episode,
and a high-level summit where President Biden leaned on President Putin to be less aggressive in cyberspace.
President Biden leaned on President Putin to be less aggressive in cyberspace.
In fact, APT29 is using the same malware they used to steal COVID-19 research a year ago,
despite the fact that the U.S., U.K., and Canadian governments called them out on it.
They haven't missed a beat. End quote.
Indeed, they haven't.
As RiskIQ's own report puts it,
the activity uncovered was notable given the context in which it appeared,
coming on the heels of a public reproach of Russian hacking by President Joe Biden
in a recent summit with President Vladimir Putin.
The White House had a tight-lipped no comment.
Cozy Bear's activities appear to occupy the gray zone of espionage.
There's at present no suggestion that sabotage was involved, CozyBear's activities appear to occupy the gray zone of espionage.
There's at present no suggestion that sabotage was involved,
although theft of IP, reconnaissance, and battle space preparation are certainly possibilities.
Recorded Futures' Insect Group has evaluated Beijing OnePass,
an employee benefits application the Chinese government provides companies doing business in that country, the app appears to be spyware. Quote, the installed application exhibits
characteristics consistent with potentially unwanted applications and spyware. Some notable
suspicious behaviors relate to several dropped files and subsequent processes initiated from the primary
application. These behaviors include a persistence mechanism, the collection of user data such as
screenshots and keystrokes, a backdoor functionality, and other behaviors commonly associated with
malicious tools, such as disabling security and backup-related services. At the time of writing, it is unclear if the spyware features were added inside the Beijing OnePass software on purpose,
or if they were inserted after a compromise of the company's software development pipeline.
In fairness to Beijing, attributing the undeniable spyware functionality to China's intelligence services isn't a matter of certainty,
since, as the Insect Group points out, it's possible that unknown parties, criminals or others,
inserted the spyware after having compromised the app's development.
Recorded Future called BJCA the state-owned enterprise that makes Beijing OnePass,
but they were unwilling to comment.
It's a problem for
companies doing business in China. Quote, while information about how the spyware functionality
made it inside the app is still shrouded in mystery, its presence is undeniable. Furthermore,
companies doing business in China may not have an option and may be forced to install the software.
End quote. If that's you or your organization,
isolate the app and keep it away from systems that handle sensitive information.
Beijing OnePass isn't the first time an app whose installation
the Chinese authorities pressure foreign companies to install
has exhibited troubling behavior.
As Recorded Future gracefully points out,
a little more than a year ago, Trustwave Labs
found that a Chinese bank was requiring foreign companies operating in the country to install an
app to file taxes with local governments. That app was backdoored. Haaretz looks at the documents
Sky News obtained that appear to be Iranian studies of cyber sabotage
operations and points out that the documents are based on readily available open sources.
They aren't in themselves offensive planning documents and could be equally relevant to
defensive measures. There's a term paperish quality about them that falls well short of
what an actual operations plan might look like.
Still, the possibility of cyber-sabotage is worth keeping an eye on.
Security firm Malwarebytes describes a phishing campaign baited with a Crimean manifesto whose hook is a VBA rat. The document, appearing in both Russian and English,
The document, appearing in both Russian and English, represents itself as opposed to Russia's occupation of Crimea, but this isn't grounds for even circumstantial attribution.
Researchers at Menlo Security are tracking an HTML smuggling attack it calls Isomorph.
The attack bypasses network security solutions like legacy proxies and sandboxes to gain access to targeted devices.
Subsequent stages install AsyncRAT or NJRAT.
NJRAT has been used for some time by so many different threat actors
that its presence has little to say about attribution.
Those who have used it have tended to go after what Menlo Security characterizes as
high-value targets in the Middle East.
HTML smuggling is enjoying a resurgence in popularity among criminals and nation-states.
Menlo Security points out that the Nobelium Threat Group,
also known as APT29 or, again, Cozy Bear, Russia's SVR,
used it during the campaign that exploited SolarWinds vulnerabilities.
There's another rebranding in progress down in the ransomware underworld.
Security firm Zscaler says that Doppelpamer, which had been quiet for a bit,
seems to have re-emerged as grief.
This kind of rebranding constitutes a low-order form of misdirection,
the criminal equivalent of the magician's nothing-up-my-sleeve,
and should by now be considered a regular phase of the criminal-to-criminal market's business cycle.
And finally, remember, scareware?
The stuff that would pop up and tell you that you'd been caught visiting naughty content on what we've come to call adult websites,
although perpetually adolescent websites would probably be better.
The stuff said that the FBI was on to you
and that you would be unmasked and disgraced before your friends, family, employer,
and whatever gods you prayed to, family, employer, and whatever gods
you prayed to. Yeah, remember that stuff? Well, it's back in the form of bot-driven spam. Security
firm Bitdefender said today that they've been following a multilingual, multinational spray
and pray campaign that's spamming people to tell them that their credentials have been compromised
and that they, the criminals,
know what you've been up to online and that it's not a pretty sight. If you pay them off,
they'll keep it all quiet. The extortion demand varies with the language of the message.
In Italy, they want 950 euros. In Brazil, 1,600 reais. 1,350 euros from those who speak Dutch,
650 dollars from Francophones, insultingly denominated in U.S. dollars.
From Romanians, they want 1,250 Yankee greenbacks,
and from the monoglot Americans, they ask 1,500 bucks.
The price list suggests that consciences are about a hundred bucks guiltier in Amsterdam
than they are in New York or even Los Angeles, which strikes us as unlikely, but who knows?
All payments naturally should be remitted by Bitcoin. The good news? It's all hooey.
They've got nothing on you. Delete that message and have a nice day.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. The Black Hat Conference is once again upon us,
and this year, IronNet Security are among the organizations partnering with Black Hat organizers
to secure the event's Network Operations Center.
It's an interesting task, to say the least, given the high profile and history
of Black Hat. Jamil Jaffer is Senior Vice President at IronNet Security. Sure. So, you know, IronNet
Cybersecurity was founded by General Keith Alexander, the former director of the NSA and
the founding commander of U.S. Cyber Command. And we brought together a great group of people,
you know, offensive operators from NSA, the best and the brightest who were going up against the
Russians and the Chinese, getting into their systems, and the defensive side, defending the U.S.
government from these types of attacks, the DOD and the Defense Industrial Base. And so,
brought together some great folks. And when this company got started, you know, right actually
before John Alexander left NSA, he was the first NSA director to actually go to Black Hat and engage
the audience, to go to those organizations to talk about what NSA does.
And it was a fundamental sea change in the way the government operated with respect to hackers and the like and the community that's there.
He came in jeans. He talked candidly.
And we've seen that happening more.
And so Iron Hat's always had in our culture to be part of these events and to be part of that community, whether it's Black Hat or DEF CON or the like. And so as we've always engaged, we've
always been there. I've spoken a couple of times at Black Hat and I've sherpaed members of Congress
to DEF CON just two years ago before COVID hit. So, you know, we've been engaged the whole way.
This year, we decided to up that engagement with Black Hat. This year, we decided we're going to be
one of the organizations that's going to defend the NOC. So Black Hat has a network operations center. As you know,
everyone tries to come after Black Hat to say you took out the network operations center.
Black Hat is a matter of pride for both White Hat and other hackers, Gray Hat and the like hackers.
And so to be the organization defending the NOC is a big task. And so we're doing that this year. We're excited about it. And frankly, we're bringing this collective defense mentality, this collective defense capability to the NOCs not just against what we know about, but the unknown unknowns, right? Trying to find those new and novel threats that are coming up against the NOC.
That'll help defend the NOC better at Black Hat, but it'll also help defend our clients
out in industry better all at the same time.
So, you know, that collective defense we were talking about and what the Cybersecurity
Southern Commission talked about, we're going to bring that to bear this next week at the
Black Hat Network Operations Center.
Yeah, I mean, it's a really good point in that collaboration flows both ways, that you're able to provide your services, your expertise to help defend. But at the same time, all of that stuff that's going to be coming at you, that's a great learning opportunity looking for novel approaches and things you can take back to your clients and share with the community.
to your clients and share with the community.
Well, exactly right.
And at the end of the day, that's what this is all about.
You know, the idea, you know, we've never thought about in no other sort of area of nation state activities, right, where we know nation states have highly capable actors,
criminal gangs that are sometimes funded by nation states.
We've never thought that was the job of individual companies to defend against.
I mean, think about it, right?
If the Russians were to fly a bomber over U.S. territory, we don't think Target or Walmart or J.P. Morgan should have surface-to-air missiles
on the roof of their buildings or their warehouse to defend against the Russians. That's crazy.
And yet in cyberspace, the theory is exactly the opposite. Every single company, large, small,
mom and pop, big bank, big energy, they all have to defend against the Russians, the Chinese,
the Iranians, the North Koreans, major criminal gangs emanating on Eastern Europe, major criminal gangs operating out of
China now increasingly. That doesn't make sense. You can't expect a single company that's a
profit-making entity whose job it is to build services for consumers or other businesses
or products to also spend the kind of money it takes to go up against a nation-state or a
nation-state-like attacker. And so the only way to get around that and to solve that problem is to bring
companies together, industries together, and frankly, industry and government together to
really defend one another in this new domain that we're fighting. That's Jamil Jaffer from
IronNet Security. There's a lot more to this conversation. If you want to hear the full
interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I am pleased to be joined once again by Andrea Little-Limbago.
She's the Vice President of Research and Analysis at Enteros.
Andrea, it's always great to have you back. You know, we always talk about how there aren't enough folks to fill all of the jobs that we have available in cyber.
And I know you've got some stories to share of some of the next generation coming up, some kids who are interested in joining us in this good fight.
Yeah, it's been one of those things where over the last year has certainly been hard for so many different reasons.
One of the silver linings has been the ability to reach out to more students.
For me, it's been the ability to reach out to more students wherever they are across the country and actually across the globe due to the virtual format now.
And so I've had the opportunity to either fill in as a professor at a university or just speak at various kinds of conferences
at the universities.
And honestly, they were some of my best experiences
over this last year.
And I've done it before, but it's always,
it's increased actually for some reason
over this last year.
I've been able to have the opportunity
to do it a lot more.
And the questions that the students are asking,
they're really insightful.
The areas that they're studying,
for me, didn't exist when I was in college or even come close to it. They're really engaged, and they
really, I think, are taking just a really nice angle on it where, you know, I, as a social scientist,
you know, I, you know, I basically was trained in, you know, in my lane of, you know, of international
relations, and I think the same thing happens across engineering, across math,
various sciences. It's kind of stovepipe. What I saw a lot from these students was really this
multidisciplinary approach. And so looking at biology and technology, and that'll help them
in the biotech area. Those that are in political science are also taking computer science and
really focusing on what digital democracy could look like and really rethinking a lot of those
frameworks and models. They're just really coming at it with a lot of interesting and um
different ideas different perspectives and enthusiasm and so that i think that was one
of the things that you know it gave me it was sort of uh it was like a jump start for my for me is to
to reignite my own enthusiasm that i've had um you know because it kind of you know this industry can
be hard uh yeah day after day.
And so there's so much excitement, enthusiasm, and good ideas that we do. I mean, it's been
really exciting. I think one example, Atlantic Council does Cyber 912, where they have students
come in and they basically, the universities compete against each other to tackle, they make
up a policy scenario and they have to come in and they create what the policy responses should be.
And they were just really bright, like really looking at, they were able to pull a thread together across different areas just in ways that I think doesn't always happen.
And so it was really, you know, it was nice to see.
And he's really just bright, articulate, enthusiastic.
You know, it gave me a lot of hope for where we're going as an industry.
industry. And I think it's really going to not revitalize, but just help transform the industry as in light of what, you know, all the various kinds of threats and opportunities that are going
on in the world. Do you have any thoughts on what is driving that breadth of information that,
I mean, is it the way that they are, the accessibility they have to information that
perhaps, you know, you and I growing up didn't have. We had to go to the library. We had to pull out the encyclopedia. And this group of digital
natives have everything at their fingertips. They do. And I think that for sure is part of it,
which I think also is how they think about things. You know, almost everything they look at
has some technology component to it. So when they're thinking about healthcare,
they still think about technology with it. Or when they think about doing some sort of biomedical research, there's technology, or even energy.
They think about the technology driving it. I think that just is a natural component, whereas
I think for us, it was a separate area of study. And even when we think about cybersecurity,
cybersecurity just is pervasive throughout every industry possible. And when we try and, you know, look at it separately outside of some of those industries,
you know, that's where we've gotten into some problems when they really are so interconnected.
And so I do think that because they are digital natives, they always have that technology in hand.
And so they always think about, you know, how technology can be used for good and for bad.
I think that's also the difference.
It's because they've seen it.
As they grew up, they've seen how technology can be great for that access information.
They've also seen or experienced personally or from amongst their peers the negative sides of the technology and information access.
So I think they're just much more aware of the benefits and the harms and really trying to do what they can to optimize the benefits that we can have and the impact that we can have.
And so it's been interesting.
It's, you know, going at the conferences, you know, like some of the B-sides and so
forth still had, you know, career mentoring and resume reviews.
And, you know, more and more of the students were able to access those this year.
And so I think that's been great, too.
And that's how one greater interaction for those of us in the industry with the students,
which has been good.
But for those students, you know, it made those conferences that they couldn't, I mean, I would never have been able to afford any of the conferences the industry with the students, which has been good. But for those students, it made those conferences
that they couldn't, I mean, I would never have been able
to afford any of the conferences when I was in college,
but it just made them accessible to hear.
And so I think that also, I hope that's something
that doesn't change going forward,
is keeping some of the virtual ability
to watch some of these, especially for students.
I think it really can help open a lot of minds
and exposure to the whole breadth
of what the industry can provide.
All right. Well, Andrea Little-Limbago, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday program.
I'm speaking with Charity Wright from Recorded Futures' Insicht Group.
We're going to be talking about China's digital colonization.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Trey Hester,
Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.