CyberWire Daily - Play ransomware's new tools. A look at what the GRU’s been up to. US Air Force opens investigation into alleged leaker's Air National Guard wing. KillNet’s new hacker course: “Dark School.”
Episode Date: April 19, 2023Play ransomware's new tools. Fancy Bear is out and about. Updates on Sandworm. Ransomware in Russia's war against Ukraine. The US Air Force opens an investigation into the alleged leaker's Air Nationa...l Guard wing. The Washington Post’s Tim Starks joins us with insights on the Biden administration's attempts to better secure the water supply. Carole Theriault chats with Cisco Talos' Vanja Svacjer about the threat landscape, now and tomorrow. And KillNet’s in the education business with a new hacker course: “Dark School.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/75 Selected reading. Play Ransomware Group Using New Custom Data-Gathering Tools (Symantec) NCSC-UK, NSA, and Partners Advise about APT28 Exploitation of Cisco Routers (National Security Agency/Central Security Service) APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers (NCSC) State-sponsored campaigns target global network infrastructure (Cisco Talos Blog) Ukraine remains Russia’s biggest cyber focus in 2023 (Google) Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (Google Threat Analysis Group) M-Trends 2023: Cybersecurity Insights From the Frontlines (Mandiant) Faltering against Ukraine, Russian hackers resort to ransomware: Researchers (Breaking Defense) Air Force unit in document leaks case loses intel mission (AP NEWS) Pentagon Details Review of Policies for Handling Classified Information (New York Times) Ukraine at D+419: GRU cyber ops scrutinized. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Play Ransomware has some new tools.
Fancy Bear is out and about.
Updates on Sandworm, ransomware in Russia's war against Ukraine.
The U.S. Air Force opens an investigation into the alleged leakers Air National Guard wing.
The Washington Post's Tim Starks joins us with insights on the Biden administration's attempts to better secure the water supply.
Carol Terrio chats with Cisco Talos' Vanya Schweitzer about the threat landscape now and tomorrow.
And Killnets in the education business with a new hacker course.
From the CyberWire studios at DataTribe, I'm Dave B using. The tools include an infostealer, Grixba, as well as a volume shadow copy service, or VSS, copying tool.
as well as a Volume Shadow Copy Service, or VSS, copying tool.
Grixpa is a network scanning tool used to enumerate all users and computers in the domain.
The tool was developed using a popular.NET development tool for embedding an application's dependencies into a single executable file known as Castora.
Also developed using Castora was another executable, a VSS copying tool that
the researchers say embeds the library AlphaVSS into executables. The AlphaVSS library is a.NET
framework that provides a high-level interface for interacting with VSS. The library makes it
easier for.NET programs to interface with VSS by offering a set
of controlled APIs. The tool allows for threat actors to copy files normally blocked by the OS.
The GRU's exploitation of vulnerable Cisco routers has drawn a joint warning from UK
and US intelligence agencies. The UK National Cyber Security Center,
the US National Security Agency, the US Cyber Security and Infrastructure Security Agency,
and the US Federal Bureau of Investigation are releasing this joint advisory to provide details
of tactics, techniques, and procedures associated with APT28's exploitation of Cisco routers in 2021.
They assess that APT-28 is almost certainly the Russian General Staff Main Intelligence Directorate,
GRU, 85th Special Service Center, Military Intelligence Unit 26165.
APT-28, also known as Fancy Bear, Strontium, Pondstorm, the Sednit Gang, and Sophocie, is a highly skilled threat actor.
The vulnerability Fancy Bear has taken advantage of since 2021, at least, is CVE-2017-6742.
Cisco announced the vulnerability in June 2017 and issued patches and mitigations.
Cisco Talos yesterday published its appraisal of the threat, stating,
Because of the large presence of Cisco network infrastructure around the world,
any sustained attack against network infrastructure would likely target Cisco equipment,
but attacks are by no means limited to Cisco hardware.
In reporting on Russian intelligence contracting documents,
samples of which were recently shared with Cisco Talos,
it was shown that any infrastructure brand would be targeted,
with one scanning component targeting almost 20 different router and switch manufacturers.
Cisco Talos also points out that Russia isn't the only nation state whose
intelligence services are collecting in this manner. China has also been active. Much of the
exploitation, Cisco Talos says, has been post-compromise, enabled by stolen credentials.
Both Cisco and the British and American intelligence agencies who issued the joint warning offer sound advice for reducing risk.
Google's threat analysis group this morning published an update on what it's observed recently from Russia's sandworm,
or as Google calls it, frozen barrens, a well-known group associated with the GRU's Unit 74455.
GRU's Unit 74455. Its activities continue to include intelligence collection,
information operations, and leaks of stolen data over Telegram. Google states,
as we described in the Fog of War report, Frozen Barrens remains the most versatile GRU cyber actor with offensive capabilities including credential phishing, mobile activity, malware,
external exploitation of services, and beyond. They target sectors of interest for Russian
intelligence collection, including government, defense, energy, transportation and logistics,
education, and humanitarian organizations. One of Frozen Barren's favored modes of gaining access to its targets is
exploitation of vulnerable Exim mail servers. Citing other research by Google's Mandiant unit,
Breaking Defense reports that Russia's GRU has increasingly turned to ransomware.
This is read as either a sign of weakness or as a possible misdirection,
shifting attention away from Russia's military intelligence service
and toward conventional financially motivated criminals.
The Secretary of the Air Force has directed the Service's Inspector General
to open an investigation into compliance with safeguards for classified material
at the 102nd Intelligence Wing,
the organization to which Airman First Class Jack Teixeira, the accused Discord Papers leaker,
had belonged. Air Force Secretary Frank Kendall appeared before the Senate Appropriations Defense
Subcommittee yesterday to explain the ongoing investigation, Air and Space Forces magazine reports,
Secretary Kendall said in his testimony,
there is a full court press going on about this.
We are all disturbed about it,
and we are working very hard to get to the bottom of it and take corrective action.
And finally, we return to developments in the cyber phases of Russia's war against Ukraine.
The hacktivist auxiliary Kilnet says it's been up to more than its now familiar woofing about having paralyzed NATO
infrastructure, having taken the war to the collective West, and so on. The usual busywork
of cyberspace. We saw yesterday that they were offering various data for sale, but the information they say they had was apparently kind of a drug on the market, attracting few rubes to Killnet's virtual snake oil show.
But they have other things on offer.
On April 4th, they announced they will be hosting an online hacking masterclass.
Applicants are required to pay $500 in cryptocurrency
and can expect to learn nine subjects. DDoS, Google AdWords Arbitrage, Forgery, Carding,
OSINT, Pegasus, Social Engineering, Methods of Cyber Warfare, and Diversion in the Network.
The hacktivist auxiliaries have also sweetened the deal.
Anyone who buys into their class gets free access to the NATO cyber training materials they stole.
In addition to all of the material, they promise private video lessons, written manuals,
personal communication with the instructors 24-7 for two weeks.
communication with the instructors 24-7 for two weeks. They will also prepare an updated methodology for their courses every 30 days for a year. And membership has its benefits.
You too could become a Kilneteer. They say particularly active students will be invited
to our team. There is no set start date, but KillNet claims the classes will begin when they've reached
2,000 applicants. The course is offered in English, Russian, Spanish, and Hindi. We recommend against
signing up, but if you do, be sure to leave a digital apple on the remote teacher's virtual
desktop. Teachers like that. Class dismissed. Coming up after the break, The Washington Post's
Tim Starks joins us with insights on the Biden administration's attempts to better secure the
water supply. Carol Terrio chats with Cisco Talos' Vanya Schweitzer
about the threat landscape now and tomorrow.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Our UK correspondent, Carol Theriault, recently spoke with Vanya Schweitzer from Cisco Talos. Here's their conversation.
So listeners, today we have a veteran, a senior veteran.
Oh my God, it came to that.
Mr. Vanya Schweitzer, Cisco Talos threat researcher. And he's also someone I've known for probably forever, like a brother from another mother.
It's like, I was just thinking about it yesterday.
25 years, Carol.
Wow.
Quarter of a century we've been in this business.
Yes.
It's the silver tsunami.
I think you worked in the labs the entire time, haven't you?
More or less, yes, yes.
I started with Sophos, an antivirus and threat detection company.
Then I moved to Hewlett Packard,
and now I'm Cisco Talos for the last six years.
I started as a very junior virus analyst in Sophos Labs,
so I get to do all sorts of, let's say,
interesting and less interesting work throughout my career.
And then somehow as you build the experience,
then they allow you to get out and present your work and experience to wider audiences.
It's cool.
Okay, so first I thought we could hark back to the old days
because we have listeners that weren't around, are not as old as we are, right?
And you have really such a breadth of experience.
So if we go back to the early 2000s, the landscape changed completely from then.
So can you remember what it was like then?
What were the big security considerations of the early 2000s?
Yes.
I think at the time, Windows 2000, Windows XP was just about coming.
The biggest threats was between email spreading, like using various word documents to automate outlook
to spread things such as i don't know melissa or i i love you virus yeah and and and then of course
they're the one that started exploiting vulnerabilities in microsoft operating systems
which at the time was were not very secure.
And it was very easy for attackers to find vulnerabilities.
So they used those to automatically spread malicious code
through as many machines as possible around the world.
So I think the last time we saw something similar was with WannaCry, for example,
which was six years ago or so.
Yeah, and they used to have a lot of that stuff.
There was a lot of mass mailing problems as well, right?
Absolutely, absolutely.
Which kind of hasn't disappeared today, but it's a different approach that the attackers are taking, I think.
Yeah, and I don't remember back then that it was really financially motivated.
Well, there were the scams, weren't there?
There were the stock scams.
That existed then too.
That was big.
Yeah, there was spam.
There was a pump and dump spam through email where the spammers would buy some really cheap penny stock And then they will try to send this secret text to let the recipients of the email know that this stock will increase in value.
So they will try to artificially inflate the price of the stock and then they sell it on the higher prices and then they make money.
And now most of the threats are certainly from the cyber criminal world, are focused towards making money for the actors behind them.
Yeah, because then the big, the malware back then seemed to be more about either making a point or trying to distribute as far and wide as you could in a short period of time, almost like cat and mouse games with security firms.
Would that be fair? Yes, I remember the time when we were all more or less still in one lab
and we had various shifts we had to cover
and so you had to be on call because almost every time during the night
or on Friday, of course, during the evening, there was some
major outbreak that we would have to contain as soon as possible
and release some updates,
signatures that will detect them.
Okay, what about now?
So now the landscape has changed completely.
So the biggest threats we're seeing, what would you say they are?
I would say ransomware certainly is the one that comes to mind as the one that affects
most of the users and it has the most crippling effect to organizations and people in kind of equal way.
But the second trend is probably those information stealers that install on the system
and then therefore try to find confidential data, username and passwords from the user
to upload them to the attacker-controlled environment.
So therefore, they can reuse them in some other systems
to steal cryptocurrency wallets
or maybe get some credentials for, I know, banking,
internet banking or so on,
any way that will allow the attackers to make some money from it.
And there's also all the phishing scams as well.
So when we used to have pump and dump scams,
it's now much more about robbery, right?
Romance scams and, you know, CEO scams,
like, you know, whaling and all that kind of stuff.
Absolutely.
The business email compromise, you know,
where the attackers are able to get into one company's system
and then they can intercept
emails that are sent by the real
partners and they respond
as somebody
else will respond from the original company
and they instruct them to make some
wire transfer to some
other bank and
a banking account.
Then they delete any emails
that's coming from the partner paying
that money. So that can last for some time. And those business email compromises can also be
detected quite late, not in days, but rather in months usually.
And I guess my big question, now that you've shown like you knew what happened to you know 20 years ago you know what's happening now what's the future like you know like I kind of think part of me
thinks like way back 20 years ago we didn't have very secure systems but the threat landscape was
much more innocent than today you know there was a lot less players and actors because there wasn't
the money angle that was strong and today we we've got threats everywhere, but there's loads of security products everywhere.
Do you think we're safer now and we will be safer in the future?
Do you think this is going to carry on?
I think despite all this news that we are hearing overall that we are safer.
And I think when I look at the volumes of malicious files coming in, they're on a really
slow, slow decline. And there will be repeating, you know, there will be skilled actors, skilled
actor groups, even the state-sponsored malware spreading around. But I think we'll probably be
more and more secure as we develop new methods of, say, multiple factor authentication, all these systems that allow you to not just prevent malware, but also detect it within your environment when something like that happens.
So I think that the security has increased overall, despite all the bad news we've been hearing over time.
There we go.
A rainbow in the sky
that is cloudy with threats.
Magnus Weitzer,
Cisco Talos,
threat researcher.
Thanks so much for talking to me.
Thank you.
Grandpa.
This was Carol Theriault
for The Cyber Wire.
It is always my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at The Washington Post.
Tim, welcome back.
It is always my pleasure to return to the show. Thank you. In today's 202, you write about some pushback that the Biden
administration through the EPA is getting in their attempts to secure some of the cybersecurity
elements of our water supply. Unpack what's going on here, Tim. Yeah, so this is pretty noteworthy because one of the constant themes of the newsletter and that
you and I have talked about a lot is the difference of the Biden approach on cyber and wanting to be
more regulatory or, depending on how they're talking about it, more minimum baseline standards
or things that sound less scary to Republicans.
And so they had put in place in March this memo, the EPA did, saying,
we now expect you to, when you're doing these sanitation surveys under the Safe Drinking Water Act,
we expect you to include cyber assessments.
And this was controversial with industry. It was certainly controversial with at least some cyber industry types.
By industry, the first case, I mean the people who are working in the water business.
And now we've seen the other shoe drop, which is that there is an actual attempt in court to stop this by a trio of Republican state attorneys general.
They say this intrudes on states' rights.
They say it also, interestingly enough, it takes away their power but also puts too much in their own hands. There's sort of an interesting argument that they use
there. I'm not being facetious about the argument. It's just an interesting contrast in like,
it's taking things away from them and giving them things they don't want at the same time.
So, you know, it's not necessarily surprising this was going to happen. I think probably
the administration anticipated it, even if they didn't say so. I think it's something that they
were expecting. I don't know. I don't have so. I think it's something that they were expecting.
I don't know.
I don't have a good sense of how the court might rule on it.
You know, it does seem like they've taken an interpretation of a law and been more liberal about how they're applying the law in this case, the administration has.
So it'll be entertaining to see what's going to happen here.
Yeah.
Is the pushback from the states primarily coming from kind of an unfunded mandate point of view? Well, that's another one of the things they brought up. Yeah. And I think
this is not, again, not to cast aspersions on anybody, but some of these attorneys general
have been somewhat more of an activist variety than I think of when I think of some attorneys
general. They have pushed things like, a lot of things that the Biden administration
has been a bugaboo for the Republicans on.
So things like, you know,
I think the lead party in this
is the Missouri State Attorney General.
He's been the lead guy,
if not one of the lead guys on the allegations
that they're trying to pursue
that the Biden administration
has been censoring conservatives
on social media platforms.
Just to give you a sense of some of the approach of some of these attorneys general.
So perhaps looking for a fight here beyond the actual policy itself.
Oh, yeah. I don't even think that they would probably deny it if you ask them that.
I think they've quite said it in some of their press releases on some of these
issues that they want to take the fight to the Biden administration.
And what sort of timeline are we on for this playing out?
Oh, gosh. You never know with the courts, right?
Yeah.
Could be years.
Okay.
I will say that there has been some relatively swift progress in that lawsuit I just mentioned before as it pertains to the social media and Biden
administration interactions, they've gotten a lot of people into court to talk about these things.
And I think they consider some of these steps a success, even if they don't win the lawsuit.
You know, they considered a big victory that they had Biden administration officials and
social media company officials testify in court. So I think if they end up with some of that and
it makes the administration look bad,
I think they'll be happy with it. And they've gotten some of that out of that first lawsuit.
Before I let you go, I would love to get your take on the story that we covered yesterday,
where Microsoft has updated their naming system for threat actors. Microsoft says that this is going to provide more clarity,
more intentionality, I suppose.
Do we need more ways to name threat actors?
That seems to be a common reaction to folks in industry.
Yeah, I mean, I think, okay,
so let me give Microsoft the slight benefit of the doubt on this.
They're
at least not confusing issues with their
past names. I mean, they're switching naming
systems. They're not adding names on top of.
But of course, that's a whole new thing that people have to understand.
If anybody was used to Microsoft calling it
phosphorus, they're going to have to be like, wait, what is it called
again? And they'll have to add a note in every single one of these
things. This is a big source of
frustration for reporters,
at least myself,
because you want to give readers
a sense of who you're talking about.
And every time I write about one of these threat groups,
I have to give five or six names, also known as.
Yeah, same here.
I would love to be able to give readers
this is this group and that's it.
But I think there's a somewhat plausible explanation.
First off, there's the less generous approach,
which is to say that this is just about marketing.
Everybody wants to use their names, and they want their names in the media.
The second thing to say that I think is at least somewhat accurate,
and Microsoft mentioned this to me this week,
and they've mentioned it in past stories,
as have some other cyber companies when they've been asked about this,
is they don't know exactly what everybody else is seeing.
They can look at what the other companies are saying, and they can see how much it overlaps.
But sometimes they have different insights into who's doing what, and they'll say something like,
you know, APT35 is approximately phosphorus. You won't necessarily say that they're 100% the same.
And the fact that there are subgroups within subgroups also makes things complicated. You won't necessarily say that they're 100% the same. And the fact that there are subgroups within subgroups also makes things complicated. Lazarus group is more of an umbrella
name. The charming kitten, aka, what are they now? Mint sandstorm?
Right, right. And all the bears.
They have subgroups too. So I get it to a certain degree, but I really wish it wasn't this way.
Yeah. I can't help wondering if this would be something that
we could perhaps turn
over to CISA and let them
head the charge
so that it wasn't an organization
that had a marketing component
in play.
Yeah, that might be nice. And there are
groups that combine into
membership some of these cyber threat researchers.
So maybe they could,
you know, smash their heads together and make them come together, like, you know, put them in the room and say, hey, only one name comes out alive. Right. One name to rule them all. All right.
Tim Starks is the author of the Cybersecurity 202 with the Washington Post.
Tim, always a pleasure. Thanks for joining us. Yeah, thanks for having me.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you.