CyberWire Daily - Privateers seem to be evolving into front groups for the Russian organs. Unidentified threat actors engaging in cyberespionage. Catphishing from a South Carolina prison.
Episode Date: September 23, 2022The GRU's closely coordinating with cyber criminals. An unidentified threat actor deploys malicious NPM packets. Gootloader uses blogging and SEO poisoning to attract victims. Metador is a so-far unat...tributed threat actor. Johannes Ullrich from SANS on Resilient DNS Infrastructure. Maria Varmazis interviews Anthony Colangelo, host of spaceflight podcast Main Engine Cutoff, about the iPhone 14 “Emergency SOS via Satellite” feature. And having too much time on your hands while doing time is not a good thing. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/184 Selected reading. GRU: Rise of the (Telegram) MinIOns (Mandiant) Void Balaur | The Sprawling Infrastructure of a Careless Mercenary (SentinelOne) An unidentified threat actor deploys malicious NPM packets (CyberWire) Threat analysis: Malicious npm package mimics Material Tailwind CSS tool (ReversingLabs) A Multimillion Dollar Global Online Credit Card Scam Uncovered (ReasonLabs) Gootloader Poisoned Blogs Uncovered by Deepwatch’s ATI Team (Deepwatch) The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities (SentinelOne) SC inmate sentenced for ‘sextortion’ scheme that targeted military (Stars and Stripes) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The GRU's closely coordinating with cyber criminals.
An unidentified threat actor deploys malicious NPM packets.
Goot Loader uses blogging and SEO poisoning to attract victims.
Metador is a so far unattributed threat actor.
Johannes Ulrich from the SANS Technology Institute on resilient DNS infrastructure.
Maria Varmasis interviews Anthony Colangelo,
host of spaceflight podcast Main Engine Cutoff,
about the iPhone 14 emergency SOS via satellite feature.
And having too much time on your hands while doing time is not a good thing.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 23rd, 2022. Russia has long tolerated cyber gangs, afforded them a territorial safe haven from which they could work with impunity, as long as their operations worked generally to the detriment of Russia's international rivals.
A report in this morning's Wall Street Journal, citing research by
Google's recently acquired Mandiant unit, describes the unprecedented ways such sufferance and
toleration have evolved into active coordination and direction. The relationship has apparently
developed well beyond the familiar permissive privateering the gangs have been encouraged to undertake. Mandiant's report
on this development, released this morning, focuses on the GRU, which is organizing the
activities of nominally hacktivist groups and supplying them with GRU tools to attack Ukrainian
networks. Mandiant says, we are tracking multiple self-proclaimed hacktivist groups working in
support of Russian
interests. These groups have primarily conducted distributed denial of service attacks and leaked
stolen data from victim organizations. Although some of these actors are almost certainly operating
independently of the Russian state, we have identified multiple so-called hacktivist groups
whose moderators we suspect are either
a front for or operating in coordination with the Russian state.
Kilnet, which has surfaced as the moving group behind DDoS attacks against European states
deemed by Russia to be too cozy with Ukraine, is among the more prominent hacktivist front
groups mentioned in dispatches.
is among the more prominent hacktivist front groups mentioned in dispatches.
Sentinel Labs yesterday published an update on the Void Balur cyber mercenary group.
The hack-for-hire operation, which has operated in the criminal-to-criminal market since 2016,
has expanded its activities.
Sentinel Labs says, New targets include a wide variety of industries,
often with particular business or political interests tied to Russia.
Void Ballor also goes after targets valuable for pre-positioning or facilitating future attacks.
Its infrastructure is described as sprawling and its methods are called careless,
but Void Ballor's volume is up.
It's not generally clear who the group's customers are,
but Sentinel Labs points to some indications that a Russian security service may be among them,
stating,
A unique and short-lived connection links Void Ballor's infrastructure to the Russian Federal Protective Service,
a low-confidence indication of a potential customer relationship or resource sharing between the two.
In yet another instance of a software supply chain attack,
reversing labs researchers outlined the placement of a malicious NPM package in a widely used components library.
Reversing labs discovered a malicious NPM package posing as Material Tailwind,
a components library for tailwind
css and material design reversing lab says these types of software supply chain attacks can be
spotted almost daily now in most of these cases the malware in question is fairly simple javascript
code that is rarely even obfuscated. Sophisticated multi-stage malware samples like Material Tailwind
are still a rare find. In this case, the complexity of the malware tactics leads to a conclusion that
sophisticated actors could be behind this attack. For now, our analysis of the situation tells us
that Material Tailwind's stage 2 payload can be classified as a fully functional Trojan malware.
It uses a lot of techniques to complicate reverse engineering.
Additionally, IP redirection using a file hosted on a legitimate service like Google Drive
is also performed before the communication with the actual C2 server.
The researchers add that the threat actor did quite a good job
at making the package description as convincing as possible.
The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with material tailwind.
The malicious package also successfully implements all of the functionality provided by the original package.
all of the functionality provided by the original package.
Reversing Labs researchers situate the campaign in the larger context of the rising trend in software supply chain attacks.
Reason Labs have discovered a Russophone gang
using bogus dating and customer support sites
to induce its marks to cough up paycard details.
Researchers at Reason Labs describe a major online credit card scheme
that's been active since 2019. The threat actor has used at least 200 phony dating websites
and 75 fake customer support sites to trick users into signing up for fraudulent subscriptions.
The dating sites inform users that the credit card statement will be unrelated to the adult industry in order to be discreet.
The researchers believe the campaign is being run by an organized crime group based in Russia.
They say,
We estimate the scheme has amassed tens of millions of dollars in fraud from tens of thousands of families and individuals.
We estimate it is operated by a crime syndicate and found evidence
that it originated in Russia. The scam seems to abuse several security brands, such as McAfee
and Reason Labs, to execute fraudulent credit card charges. The infrastructure is built on top
of Amazon Web Services and uses GoDaddy to circulate hundreds of domains. The fraudster's strategy includes operating a massive fake network of dating and adult websites
with functional customer support capabilities.
Once the sites are live, the scammers coerce payment providers
to gain the ability to accept credit card payments.
At this point, the fraudsters search the darknet and acquire thousands of stolen credit cards
and charge them to their fake website services.
DeepWatch describes how GootLoader uses well-planned and targeted blogs
in a search engine optimization poisoning campaign.
The operators appear to be trawling for users interested in topics related to government,
legal, healthcare, real estate, and education. Geographically, many countries are targeted, but most attention seems to be
paid to the five I's—Australia, Canada, New Zealand, the United Kingdom, and the United States.
The operation looks like one run on behalf of a nation-state intelligence service,
but DeepWatch so far has insufficient grounds to offer an attribution.
Sentinel Labs yesterday reported another threat actor that looks like the work of a nation-state.
Metador is described as targeting telecommunications, internet service providers,
and universities in several countries in the Middle East and Africa. It's not known who Metador
is nor whom the group is working for,
but they show a high degree of operational security
and situational awareness of the environments in which they operate.
The report says,
Traces point to multiple developers and operators that speak both English and Spanish,
alongside varied cultural references including British pop-punk lyrics
and Argentinian political cartoons.
Researchers say the evidence is consistent with Metador being either an intelligence service
or a mercenary group working under contract.
And finally, have you heard the saying, busy hands are happy hands?
We have.
A gentleman serving 25 years in South Carolina for voluntary manslaughter and attempted armed robbery,
one Darnell Kahn, has been convicted in a U.S. court on federal sextortion charges.
Mr. Kahn obtained an illegal smartphone, something he as a prisoner is not supposed to have,
and used it to set up a fictitious woman's dating profile
online. He would strike up a relationship with lovelorn U.S. servicemen, catfishing them into
sharing their own not-safe-for-work selfies, and then reveal the fictitious line that the person
they thought was an adult woman was in fact an underage girl, and that the person they were now communicating with
was either the catfish's father or a private detective.
If the victim failed to wire money to Mr. Kahn,
they would face prosecution and a dishonorable discharge,
or so Mr. Kahn's persona said.
He's believed to have victimized 40 servicemen
between January and July of 2017.
The Stars and Stripes reports that sextortion
seems to have become something of a cottage industry in South Carolina prisons,
and Mr. Kahn isn't alone in pursuing this particular line of crime.
The catfishing is no joke.
At least one suicide has been traced to it.
If this were Russia, Mr. Khan would make a good candidate for
recruitment by the Wagner Group, but this is America, and so we wish the wardens good hunting
in tracking down the illegal devices and in sending the Khans back to the license plate shop.
Coming up after the break, Maria Varmatsis on the iPhone 14 emergency SOS via satellite feature,
Johannes Ulrich from SANS on resilient DNS infrastructure.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
We are excited to welcome the newest member of the CyberWire team,
our space correspondent, Maria Varmasis.
She will be making regular contributions to our programs
covering the security of all things where no one has gone before.
Here's Maria.
At its product unveiling on September 7th,
Apple announced that its upcoming iPhone 14 will have a, quote, vital new safety feature we hope you'll never need.
That feature is called Emergency SOS via Satellite, which lets iPhone users text for help via satellite when there's no Wi-Fi or cell phone signal available.
Now, experienced travelers and hikers likely know that satellite phone tech has been around for a long time,
including SOS beacons you can buy for just this kind of off-grid emergency situation.
But they're slow, and they involve a big bulky phone with an antenna up top,
nothing that looks anything close to the typical iPhone design.
But Apple figured out that by directing users to physically point their phone to a satellite up in space,
instead of casting the wide net a typical satellite phone antenna might,
and by having the emergency message
be only a compressed text message,
it can get the job done.
No bulky antenna needed.
This new iPhone feature is a major step
in bringing satellite communications to the masses,
and certainly consumers will be seeing a lot more of it,
with T-Mobile and Google actively working
on similar features for their own phones.
So, for more on what it all means, I spoke with Anthony Colangelo,
host of the Spaceflight podcast, main engine cutoff,
and expert on satellite technology and Apple apps as well.
Now, Anthony, I know we haven't been able to get our hands on this feature yet,
but based on what Apple has shown us so far,
let's do a little dive into how this feature works. Apple mentioned that they had to create a compression algorithm
specifically for these messages. Now, what kind of bandwidth are we talking about with this kind
of satellite communication? I'm not sure the exact bandwidth, but the other aspect is it's not just
bandwidth, it's connectivity as well, right? If you are in a completely open sky at the top of a
mountain, you can probably maintain a full connection with that satellite.
But if you have any inclement weather, foliage coverage,
things that would happen when you're off the grid hiking through a national park,
it's going to be very in-and-out coverage.
And then you not only have to figure that out,
but these satellites are orbiting, so they're moving.
So if somebody's hands jiggle in a little bit,
the satellite's moving the other direction
and they lose contact for a second.
It needs to be resilient to those kind of changes in the environment as well.
A new satellite's coming over the horizon, so you've got to switch to that satellite.
The way this works on the back end is that this is going up to this Global Star satellite.
It's then coming down to one of the gateways on Earth, which there are tens
of around the world. I think they're building out ten new ones as part of this partnership as well.
And that's going to relay on to the emergency services that are most helpful to you. It's a kind of weird
architecture where you're jumping up to a satellite, down to a gateway station, over to a
relay center who eventually gets you to emergency services.
You know, in an emergency situation, people are probably not thinking about the security of their
messages necessarily, but I can't help but wonder, do we have any sense at all about how secure these messages are, or is that just not even going to be on the radar in a
situation like that? I think it would probably be one of those cases where you're relying on
the nature of the satellite industry today to provide that, right? You think of the satellites
that are up there in orbit. You've got DirecTV, you've got TV broadcasts around the world,
things that they probably don't want you to be able to pirate, right? They are particularly concerned about the privacy and the security of these things. Now,
that said, there are satellites that have been up there for decades that people have figured out how
to decode. And certainly there's a huge arm of the US government and governments around the world
that build satellites to go up and snoop on different satellite communications. It's not a
perfectly secure world up there. But then again, in this particular kind of use case,
I don't really know if I, at a functional level,
would be concerned that somebody was snooping
on my emergency relay message
as long as they might also be able to help out.
Like, I don't care if they overhear that.
So maybe it's not the worst thing in the world.
And admittedly, the part of the announcement
that got a bit more of my attention
was sort of a footnote.
And this was the addition of sending your location
via satellite with the Find My app.
And it's an opt-in feature,
which means the user has to manually tap
to update their location via satellite
each time they want to do that.
Now, obviously, GPS has existed for a long time,
but I'm just wondering what...
Different kind of thing.
Different kind of thing, right?
So we're introducing a whole new thing,
a whole new piece of hardware to a phone.
I just can't help but wonder about risks there.
Yeah, and this may be a scenario
where Apple's architecture with special hardware
that is very directional is a positive, right?
I don't think it's something that your find my location
is always going to be sent up to these satellites
without you specifically doing it,
because again, you need to be in that very directional
pointing mode, right, where it's telling you where the satellite is.
And that's the difference in architecture here.
There's other satellites that are going up from Link and AST Mobile and eventually Starlink.
If they are connecting to your phone just like a cell tower,
then yeah, there's surreptitious connections going on all the time between you and a satellite.
Whereas this is a very intentional interface.
So in that same vein, could somebody track you
because of the locations that you've sent up specifically? Yes. Could they do it without you
knowing that you've provided a location somewhere? No, based on what I'm understanding right now.
Thanks so much, Anthony, for that valuable context. And it should be noted that emergency
SOS via satellite won't be available immediately with the iPhone 14.
Apple has it slated to begin working no earlier than November 2022.
So hikers and Apple early adopters, please take note.
For the Cyber Wire, I'm Maria Varmazes.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast. Johannes, it is always a pleasure to welcome you back.
Thanks for having me, Dave.
So today we are talking about DNS, and I'm going to give you the honors here of
what's the old chestnut about DNS?
Yeah, the good and famous DNS haiku that always has to be mentioned when you're talking about
DNS. It's not DNS.
There's no way it's DNS.
And it is DNS, so
if you have a problem, DNS
is often the
reason behind it.
And in part because people sort of ignore
DNS. DNS is sort of one of those protocols that just
works for the most part. It's actually
I think one of the huge success stories when it the most part. It's actually, I think, one of the huge
success stories
when it comes to protocols.
If you think about it,
I remember
my very first networks,
like,
it must have been
the late 80s,
early 90s.
We still had these host files
where you got
from the university
a list of
all of the
systems on the internet
in one file.
Right.
And how quaint.
And
DNS solved this problem. And of course
it scaled tremendously, if you think
about it, from sort of a few million to
a few billion entries.
So, real great protocol. I don't really
want to talk down on DNS. Lots of people
criticize this. But it has its
tricks. And it's not an easy
protocol to manage and really get the resilience that you need. These days, a lot of people move
DNS to the cloud, which of course, let someone else worry about it. That's a little bit the
attitude here. But you may lose something with this. When I teach intrusion
detection, one of the biggest things I always point out is, hey, if I can get one set of logs
from the environment, I'll always take DNS logs. Because everything that happens in your network
reflects itself in DNS. What websites people are visiting, what command control service a malware
connects to, that's all in DNS.
So if you're moving into the cloud,
make sure you retain that visibility into your DNS traffic
so you have it available to search for indicators of compromise,
which is very quick and simple and really sometimes quite successful.
The other part you may not realize you're losing
is a little bit resiliency.
Now, we like the cloud kind of because the cloud tends
to be fairly resilient until it's not.
And then, of course, it's not just down,
but you can't even go down the basement and kick that server
because it's summer in Seattle or whatever,
and it's a long walk.
And they don't let you kick those servers either, kind of.
So keep that in mind.
And one thing I want you to look a little bit out here
with cloud providers,
cloud providers have sort of that tendency
to hold you hostage.
It tends to be difficult to move from one cloud provider to another
if you are using a service like DNS with them.
Try to find a way how to synchronize your data
between different cloud providers.
Now, I say synchronize, I don't say replicate,
because DNS actually has replication built in.
But that's a feature that these cloud providers often don't really support,
in part because they don't want you necessarily to leave easily
or to easily switch over to another cloud provider.
So try to find some way here to get that working across cloud providers.
It's usually not expensive.
These DNS servers are fairly cheap.
So setting up a second cloud provider
should really not break the band.
It gives you that additional peace of mind,
resiliency when it comes to DNS.
Is this a situation where if you have multiple providers,
then you'll have kind of automatic fallback
if one goes down and the other picks up
and kicks into gear?
Yeah, and that's the nice thing about DNS.
DNS is sort of designed around this.
So for your domain, and we're talking about an authoritative name server here, you can
advertise multiple name servers that are authoritative for this particular domain.
And DNS servers, when they're trying to look up one of your host names, they try the first
one, it doesn't respond, they try the next one.
So that's all built into a DNS. So now you just have to make sure that you advertise DNS servers
that are located with different cloud providers. Then also when you're setting this up, set up a
little bit rigor around how you manage DNS. Another problem once you move it into the cloud is then,
of course, credentials get
easier compromised and you may have someone else mess with your DNS. There are a lot of
interesting attacks if people add mail servers to your DNS records, for example. Now they'll
receive your email and I can tell you they will not filter your spam. They will just read it and pass it on to you.
What about some of the DNS providers
who are there to just try to make things easy
and also a bit more secure, like four nines,
those kinds of providers?
What are your thoughts on them?
Yeah, I kind of like that idea.
Now, these are recursive DNS servers,
so you would use them to look up other people's host names.
Again, you can set up multiple of these providers.
You don't have to limit yourself to one.
So the way I usually like to configure it is
I set up internal in my network a small recursive resolver
that all it does is it forwards queries
to these public DNS servers.
Because they tend to be quite fast,
and then I still have the logs in my DNS server.
I gain some speed because the popular websites,
someone else probably already visited them,
and these DNS servers now have that information cached and it comes in faster.
So that works.
And of course, some of them, like OpenDNS
is famous for that and such.
They also offer some filtering.
Now, as part of their commercial
solutions, they may also offer
you some extended logging.
And that's, of course, useful to gain
the inside of your network.
Right, right.
Well, good information as always. Johannes Ul new network. Right, right. All right.
Well, good information as always.
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Thank you. In my conversation with Gafneet Amiga from Lightspin, we're discussing her team's research,
AWS RDS Vulnerability Leads to AWS Internal Service Credentials.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Harold Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.