CyberWire Daily - Notes on Tortoiseshell. Fancy Bear snuffles around embassies and foreign ministries. Poison Carp targets Tibetan groups. GandCrab unretires. And Chameleon’s curious spam.
Episode Date: September 25, 2019Tortoiseshell is trolling for military veterans. There’s been a fresh Fancy Bear sighting. The transcript of a conversation between the US and Ukrainian presidents has been released. Citizen Lab war...ns that Poison Carp is actively working against Tibetan groups. A zero-day afflicting vBulletin forum software is out. GandCrab comes out of retirement. And there’s an odd spam campaign in circulation that looks like phishing but seems not to be. Ben Yelin from UMD CHHS on the White House blocking Congress from auditing its offensive hacking strategy. Guest is Tim Keeler from Remediant looking at lateral movement in the context of the NotPetya attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tortoise Shell is trolling for military veterans.
There's been a fresh fancy bear sighting.
The transcript of a conversation between the U.S. and Ukrainian presidents has been released.
Citizen Lab warns that Poison Carp is actively working against Tibetan groups.
A zero-day afflicting V-Bulletin forum software is out.
GandCrab comes out of retirement.
And there's an odd spam campaign in circulation that looks like phishing but seems not to be.
in circulation that looks like fishing, but seems not to be.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 25th, 2019.
Cisco's Talos Intelligence Unit has blogged a contribution to discussion of the tortoise
shell threat actor that Symantec described last week.
Symantec outlined the ways in which tortoiseshell had sought to insinuate itself into the supply chain
by hitting IT providers in the Middle East, especially in Saudi Arabia.
The Symantec report noted circumstantial similarities between tortoiseshell's code
and the Iranian threat actor APT-34, also known as OilRig.
But they were quick to point out that this counted for next to nothing in terms of attribution,
since that code has been blown and publicly available to anyone for months.
Yesterday, Talos blogged that Tortoiseshell is believed to be behind a bogus job site designed
to attract U.S. military veterans and others who may wish
to support them in their search for employment. Those who visit the site are liable to infection
with malware that has both reconnaissance and remote access functionality. The reconnaissance
malware has the internal name LIDERTS and retrieves information about the victim's system,
including information that could identify whether the malware is running in a sandbox.
The rat is called iVizTech, and it does what such rats do.
Talos agrees with Symantec that the operators behind TortoShell show poor OPSEC,
but they think that in this case they may make up in volume what they lose through carelessness.
Lots of people like veterans and are happy to help them find jobs, after all,
and the URL of the malicious site is close enough to that of a legitimate U.S. Commerce Department site
so that it might deceive the unwary.
A note on circumstantial attribution.
Liderz is the name of a malign creature from Hungarian folklore
that typically manifests itself as a bird.
What does this mean for attribution?
Not much.
The hacker world isn't terribly sensitive about cultural appropriation.
Fancy Bear has returned to a familiar foraging ground and with a familiar tool.
The group has resumed its use of the Zebrosea toolkit
against embassies and foreign
ministries in Eastern Europe and the Middle East. ESET, which says this renewed activity dates to
late August, also notes that Zebrosea's suite of downloaders, droppers, and backdoors has shown
some evolution into marginally more effective forms. Like all threat groups, Fancy Bear goes by many names. It's also known as Sednet, Sophocy,
Group 74, Strontium, and APT-28. But if you're keeping score at home, Russia's GRU Military
Intelligence Service is always the man behind the curtain. The group's interests in this case
lie in espionage. Speaking of Fancy Bear, recall that the group came to prominence in the wake of its
intrusion into the U.S. Democratic National Committee, unmasked in 2016. The company the DNC
called in to investigate was CrowdStrike, which seems to be why CrowdStrike is mentioned in the
transcript of a phone conversation between U.S. President Trump and Ukrainian President Zelensky that the White House
released to assuage the curiosity of Congress. President Trump appears to ask his counterpart
in Kiev for assistance in investigating either Fancy Bear's incursion or the content of what
Fancy Bear found. Expect to hear more about the transcript and CrowdStrike as the U.S. House chews the matter over in coming
weeks. It's common to hear security folks say something along the lines of, it's not a matter
of if you get breached, it's a matter of when. But once someone gets in, how do you slow them down
and keep them from having run of the place, jumping from one system to the next? Tim Keeler
is CEO and founder of Remediant, a company that offers privileged
access management. With lateral movement, that's when you establish a single system as your kind
of your starting base, your foothold. And then, you know, based from there, you take whatever you
can get off of that machine that helps you move to other systems on the network. And, you know,
it's kind of the initial
starting point for an attacker, but ultimately they have some objective, whether it be intellectual
property or customer data or financial motivations, that's kind of the ground zero and lateral
movement allows them to, you know, move to other systems that get some access to that data.
So is the notion here that there may be perhaps lower level people
within a company whose systems might not be as fortified as say the CEOs, for example, and so
it might be easier to get in via their machine and then move on from there? Oh, without a doubt.
And I think this is why we see, you know, spear phishing or phishing campaigns being so successful
among attackers. The technical
sophistication is extremely low, but it's like, let's just blast this out to a large organization
and you always are guaranteed some percentage of success. And that really establishes your
initial foothold from an attacker's perspective. And so how much of organizations' defenses these days are set up
to protect against this? I think people have this image in their mind of, you know, the castle walls
or the moat around the castle and trying to keep people out that way. But it sounds like with
lateral movement, they're already inside the castle. Yeah, it absolutely is true. And I think one of the biggest shifts in cybersecurity
is, you know, kind of rewind the clock 20 years, everyone was focused on protecting the firewall
and protecting the network. Very rarely did you see anyone, you know, figuring out how to protect
the human. And now there's been this, you know, mad scramble. And that's probably one of the most
challenging aspects of cybersecurity is you know
protecting the human and preventing them from going into a malicious web page or clicking on
a link that installs some malware and you know I think we found that it's just extremely difficult
to do. We also wanted to chat about what happened back in 2017 with NotPetya I mean that's a prime
example of this as well yes? Yeah absolutely, absolutely. And this one was very unique,
because obviously, it came from a nation state actor and kind of overstepped its boundaries in
terms of what it was targeting. But the real interesting aspect of this was, this is the
first piece of malware that had some very sophisticated credential harvesting. And it's one thing to leverage a zero-day exploit
to infiltrate systems. But then when you take that in addition to, hey, I want to see what
credentials are exposed on this system, harvest those, and then use those credentials to then
propagate the virus and malware even further, that was just kind of a level of attack that
changed techniques all
around. And I think we're going to see a lot more of this as the next generation of malware.
And so what are your recommendations in terms of people protecting themselves against this?
You know, the kind of the key one with NotPetya was, you know, the credential harvesting aspect.
The first thing it did was target credentials that had administrative privilege, whether it
was on that system or on other systems. And then it was, you know, very intelligent where it would start going,
you know, to other systems on the network using those credentials to see, hey, what's the scope
of admin privilege here? And that's where it was able to spread so, so quickly. It really boils
down to understanding who has administrative privileges, whether it is on servers and, more importantly in this case, workstations.
But then, you know, really instilling some of the principles of least privilege and zero trust we've been talking about in the industry for so long.
Let's, you know, let's try to reduce and remove and, you know, and take away the mitigation of admin credentials.
That's Tim Keeler from Remediant.
of admin credentials. That's Tim Keeler from Remediant. The University of Toronto's Citizen Lab describes a campaign directed against Tibetan groups by a threat actor the lab calls Poison Carp.
Citizen Lab says, quote, between November 2018 and May 2019, senior members of Tibetan groups
received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas.
The links in the messages led to the installation of exploits in the target's mobile devices.
A successor to GhostNet, the campaign has used a suite of Android and iOS exploits.
Its typical infection vector continues to be social engineering,
which Citizen Lab calls clever.
Its one-click installation
of mobile exploits
is new to the Tibetan targets,
who have become aware of
and suspicious toward
better-known phishing attempts,
like the classic
malicious email attachments.
Reuters observes that
this appears to be
the same threat actor
that's been active against
China's predominantly Muslim Uyghur minority,
the Tibetan diaspora, has represented an irritant to Beijing
since China reoccupied the country in 1950 after 37 years of independence.
An anonymous researcher has published a zero-day affecting the widely used VBulletin web forum software.
ZDNet says the vulnerability
is a pre-authentication remote code execution bug. It's unclear whether the posting was done
with malign intent or simply amounted to a bungled disclosure, but it does suggest that
organizations using vBulletin should look to their defenses. Few will be surprised to hear
that the GandCrab gang has returned from retirement.
SecureWorks reports that the group has reassembled itself and is responsible for attacks using our evil ransomware, also known as Soda No Kibi.
GandCrab at the end of May announced its retirement on the hacking forum it had used since 2017.
The announcement amounted to a kind of virtual sack dance. We successfully cashed this
money and legalized it in various spheres of white business, both in real life and on the internet.
The extortionists crowed and then added, we are leaving for a well-deserved retirement.
We have proved that by doing evil deeds, retribution does not come. They seem to have
spent less than three months in that active
senior community they were heading for. Perhaps the black market's 401k wasn't up to expectations.
At any rate, they're back and back doing the same kinds of things.
To their proof that retribution does not come, one must add,
yet there are plenty of law enforcement agencies eager to offer hospitality to Gant Crab.
Whatever name they're operating with, it seems to be the same old crew.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's the Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security.
Ben, always great to have you back.
We had a story come by today.
This is from the Washington Post.
This is their Cybersecurity 202 section.
And it's written by Joseph Marks.
It's titled, White House Blocking
Congress from Auditing Its Offensive Hacking Strategy. Take us through what's going on here.
So about a year ago, the White House developed an offensive hacking strategy to go after
our adversaries like Russia and Iran, basically in case they attack our cybersecurity,
our computer systems. It's a way of using offensive hacking strategies as a military weapon.
So we have defensive capabilities and offensive capabilities.
Generally, these strategies would be given to the relevant congressional committees of jurisdiction.
But the chairs and ranking members of those committees claim that they have not been able to get access to these policies and therefore have not been able to perform oversight.
So the controversy at this point is that the chairman of the relevant House subcommittee side that they're not able to evaluate the strategy, provide congressional oversight, and perhaps offer the White House some guidance as to how to conduct this policy.
Now, take me through some of the background here.
I mean, we're talking about co-equal branches of government.
here. I mean, we're talking about co-equal branches of government. We're talking about Congress's ability to declare war and how does that venture into cyber war or not.
There's a lot in play here. Yeah. So Congress, according to our
Constitution, does have the sole power to declare war. That's become a bit of a murky power in the
last half century or so. As a matter
of fact, the last declared war was World War II. Oftentimes, we've had these mini war declarations,
of course, most recently, the authorization for the use of military force in 2001, which justified
the war in Afghanistan and general military operations relating to the war on terror.
And it's sort of been used as a catch
all justification for all other types of counterterrorism, military strategy. When it
comes to cybersecurity, we haven't really come up with a legal framework, in terms of thinking about
it the way we look at traditional war powers. Congress, of course, has not declared a war,
cyber or otherwise, on either of these countries. But generally, the president has article two
authority as commander in chief to protect the defenses of the United States. And I think both
parties on Capitol Hill will agree that that would encompass using offensive hacking strategies in case our
cyber systems are attacked. I don't really think that's a matter of controversy in this dispute.
I think the issue is their ability to provide guidance and oversight. Now, the White House
will say this is classified material. We're afraid of leaks, and I think those concerns are very valid. But we have processes in
place so that members of Congress can get access to these classified briefings in a classified
setting. So for the most classified material, it usually goes through what's called the Gang of
Eight, which is the leadership of each House of Congress and the leadership of the relevant
committees. So the Senate Intelligence Committee and the House Select Committee on Intelligence.
But for something like this that I don't anticipate would be at the level of needing to go to the Gang of Eight,
I think the subcommittees of jurisdiction, which are mentioned in this article,
the House Armed Services Committee Cybersecurity Subcommittee being first and
foremost, I think it would be customary for those committee members to get access to this
classified information. And I think that's the source of the concern and the frustration.
Does Congress have any ability to force the White House's hand here?
So the one avenue they do have, of course, is attaching a
rider to a must-pass Department of Defense policy bill, so the Defense Authorization Act. That bill
authorizes all types of defense programs annually. A version of the Defense Authorization Act has
passed both houses of Congress, and they are currently reconciling their differences. What some members of the House have suggested is that there needs to be a
provision attached to that bill mandating the release of this offensive hacking strategy to
the relevant congressional committees. If the Trump administration stuck to their guns, that
could, of course, cause a standoff. They might say, we're not going to approve this defense authorization bill if it includes
this rider that we have to release offensive hacking strategies.
You know, will they torpedo a defense policy bill, which is generally supported by a majority
of members of both political parties?
Have my doubts about that.
But, you know, it's certainly something that's now going to be part
of negotiations on that must pass piece of legislation.
All right. Well, Ben Yellen, thanks for joining us.
Thank you. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're
co-building the next generation of cybersecurity
teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim
Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Thanks for listening.
We'll see you back here tomorrow. Thank you.