CyberWire Daily - Ransomware updates: TrueBot, Cl0p, and Royal. Iranian cyberattacks. An update on the cyberattack against the Met. Notes on the hybrid war, with a focus on allies and outside actors.
Episode Date: December 12, 2022TrueBot found in Cl0p ransomware attacks. Royal ransomware targets the healthcare sector. Recent Iranian cyber activity. A night at the opera: an update on the cyberattack against the Metropolitan Ope...ra. New Cloud Atlas activity reported. Europe looks to the cybersecurity of its power grid. Rob Boyce from Accenture describes Dark web actors diversifying their toolsets. Rick Howard explains fractional CISOs. And international support for Ukrainian cyber defense continues, more extensively and increasingly overt. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/236 Selected reading. Breaking the silence - Recent Truebot activity (Cisco Talos Blog) New TrueBot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm (The Hacker News) TrueBot infections were observed in Clop ransomware attacks (Security Affairs) Clop ransomware uses TrueBot malware for access to networks (BleepingComputer) Royal Ransomware (US Department of Health and Human Services) US Dept of Health warns of ‘increased’ Royal ransomware attacks on hospitals (The Record by Recorded Future) Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool (Dark Reading) MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics (The Hacker News) New MuddyWater Campaign Uses Legitimate Remote Administration Tools to Deploy Malware (Cyber Security News) Shows will go on at Met Opera despite cyber-attack that crashed network (ABC7 New York) Cyberattack disrupts Metropolitan Opera (SC Media) Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine (Check Point Research) APT Cloud Atlas: Unbroken Threat (Positive Technologies) European Electricity Sector Lacks Cyber Experts as Ukraine War Raises Hacking Risks (Wall Street Journal) How the US has helped counter destructive Russian cyberattacks amid Ukraine war (The Hill) The Australian company training Ukrainian veterans in cybersecurity (Australian Financial Review) How Proton intends to thwart Russian cybercensorship with its VPN (HiTech Wiki) Cyber Lessons Learned from the War in Ukraine (YouTube) War in Ukraine Dominated Cybersecurity in 2022 (CNET) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Truebot is found in clop ransomware attacks.
Royal ransomware targets the healthcare sector.
Recent Iranian cyber activity.
A night at the opera.
An update on the cyber attack against the Metropolitan Opera.
New Cloud Atlas activity's been reported.
Europe looks to the cybersecurity of its power grid.
Rob Boyce from Accenture describes dark web actors diversifying their tool sets.
Rick Howard
explains fractional CISOs. And international support for Ukrainian cyber defense continues
more extensively and increasingly overt.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 12, 2022.
Late last week, Cisco's Talos Group published an overview of recently observed Truebot activity.
The malware is being used by the Russophone gang Silence to distribute CLOP ransomware.
CLOP attacks are typically double extortion operations with data stolen before encryption.
Talos writes,
There are some strong circumstantial indications that silence is associated with the gang better known as Evil Corp and with the financial crime activity FIN11. There's so far insufficient evidence to suggest
that the gang is focusing on any particular sectors to the exclusion of others, but Talos
has noticed a number of operations against educational institutions. The Department of
Health and Human Services has
warned of the threat the Royal Ransomware poses to the healthcare and public healthcare sector.
The Royal Ransomware first surfaced in September 2022. It appears to be operated by a single group
rather than functioning as a ransomware-as-a-service model. A report from Microsoft
found that the threat actor uses social engineering to distribute the ransomware-as-a-service model. A report from Microsoft found that the threat actor uses social engineering
to distribute the ransomware, stating,
The group has been delivering the malware with human-operated attacks
and has displayed innovation in their methods by using new techniques,
evasion tactics, and post-compromise payloads.
The group has been observed embedding malicious links in malvertising,
phishing emails, fake forums, and blog comments.
In addition, Microsoft researchers have identified changes in their delivery method
to start using malvertising in Google Ads,
utilizing an organization's contact forum that can bypass email protections,
and placing malicious installer files on legitimate-looking software sites and repositories.
A note in disclosure, Microsoft is a CyberWire partner.
Researchers are discussing recent activity of Iran-linked threat actors,
some of which are using a new data wiper while others are updating a remote administration tool.
Bleeping Computer reports that a new data wiper, Fantasy, has been seen in use by the Agrius APT
group in supply chain attacks against targets in Israel, Hong Kong, and South Africa. The campaign
reportedly began in February of this year and took hold in March, victimizing an IT support services firm, a diamond wholesaler, a jeweler, and an HR consulting company.
This new wiper is an evolution of the Apostle wiper,
seen previously in use by the hacking group, according to analysts from ESET.
Iran-affiliated threat group Muddy Water has been observed by Dark Instinct researchers
abusing a new remote administration tool known as Synchro against target devices, Dark Reading
reports. Synchro is a managed service provider platform that replaced the group's other remote
administration tool, Remote Utilities, which was seen in use in September. The Hacker News says that the software
allows for complete control of machines remotely, which allows for reconnaissance, back doors,
and the sale of access to outside actors. The Metropolitan Opera in New York has sustained
a cyber attack that shut down the Opera House's website and box office. The record reports that
the attack was disclosed by the Opera House on Wednesday evening. A Twitter post from the Met
Opera account on Wednesday says, the Met has experienced a cyber attack that has temporarily
impacted our network systems, which include our website, box office, and call center.
All performances will take place as scheduled. The Twitter thread continues on to say that new ticket orders, exchanges, and refunds are unable to be processed and directs you to the Opera House's site for updates.
ABC 7 reported that as of Friday, tickets are being sold on the Lincoln Center website and in person at David Geffen Hall.
The FBI is also investigating.
SC Magazine reports that this attack follows an attack on Wordfly in July
that victimized cultural organizations including the Royal Shakespeare Company,
Sydney Dance Company, and the UK's Old Vic Theatre.
Wordfly, the record reports, was a provider of digital
marketing services for a range of cultural organizations around the world. Both Checkpoint
Research and Positive Technologies report renewed activity by Cloud Atlas, an APT of uncertain
provenance that's also known as Inception. There's a general consensus that Cloud Atlas is
engaged in cyber espionage and that it's at present collecting against targets related to
Russia's war against Ukraine, notably in Russia and Belarus. Who Cloud Atlas is working for or
what strategic interests the ABT serves remain unclear. Neither checkpoint nor positive technologies offer any
attribution. In 2016, Kaspersky, writing in Virus Bulletin, reported very tentatively that there
were circumstantial signs of Chinese activity behind Cloud Atlas, but it could equally well
be evidence of code borrowing or false flag operations. Domain Tools took up the question in
February of 2021, and their researchers also threw up their hands, stating, based on the observed
activities, lures, and likely geographic targeting, Domain Tools assesses with high confidence that
the campaigns in question form part of an unspecified espionage operation.
While further speculation on particular attribution is possible,
insufficient technical evidence exists that would allow domain tools to attribute this activity to any distinct entity or country.
The Wall Street Journal reports that kinetic attacks against Ukraine's power grid
have motivated European authorities
to look to the cybersecurity of their own grid.
Ukraine has disconnected its grid from Russia's
and connected it to Europe's.
And while there's concern about that new exposure
and managing an expanded attack surface,
the EU seems also to be concerned
about a shortage of qualified cybersecurity operators
who could be employed in safeguarding its grid.
The Hill describes the scope of U.S. Cyber Command hunt-forward operations.
U.S. teams have conducted 35 operations while deployed to 18 countries,
including Croatia, Estonia, Lithuania, Montenegro, North Macedonia, and Ukraine.
The UK and other NATO members have also rendered cyber assistance to Ukraine
and Eastern European countries at risk of Russian cyber attack.
Assistance is also arriving in Ukraine from the private sector.
AFR reports that Canberra-based security firm Internet 2.0
has signed a memorandum of understanding with Ukraine's Ministry of Digital Transformation to provide cybersecurity training to Ukrainian veterans.
After the break, Rob Boyce from Accenture describes dark web actors diversifying their tool sets.
Rick Howard explains fractional CISOs.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard. He is the CyberWire's chief security officer,
also our chief analyst, but more important than any of that stuff, he is the host of the CSO Perspectives podcast right here on the CyberWire Network. Hello, Rick.
That was a brilliant introduction. I'm going to take that to the bank, sir.
Thank you. Thank you very much.
thinking recently about you and I when we were back at the RSA conference this year, way back in June, and you came into our broadcast studio and you were all wound up about this new thing,
something called fractional CISOs. So for our audience, what the heck is a fractional CISO?
Yeah, you're no kidding. So before the RSA conference, I'd been aware of a few of my friends, these are former CISOs,
hanging their shingles out to come in and advise CEOs about how to think about cybersecurity in
terms of business risk, or to come in and help them stand up their first InfoSec program while
they were looking for their first CISO, or even to come in after a breach to put their fingers in
the dikes until more permanent measures could be established. And I was calling them virtual CISOs, and they were more like
advisors or contractors. But at RSA, I was talking to another friend of mine, a veteran in the
cybersecurity space, Todd Inskeep. Have you ever met him, Dave? He was one of the... Yeah, yeah.
I've interviewed him, yeah. Oh, sure. He was one of the key players when we created the Cyber Threat Alliance a few years ago.
And today, he's the founder and senior managing director at Incubate Solutions, a company that provides these kinds of services.
But he has a much better name for it.
He called him Fractional CISO.
So here's Todd explaining it.
We've seen over the years the idea of a fractional chief financial officer, a fractional chief information officer, information technology officer.
And the next step is obviously to think about it from a security perspective.
We've seen the SEC and others put more emphasis on cybersecurity as part of the governance of a publicly traded company.
It's clearly in the
headlines with ransomware and other threats all the time. And so companies are starting to think
about how do I get some cybersecurity expertise that's focused on business as opposed to the IT
technology team that's thinking firewalls, configuration controls, a lot of details that matter for
cybersecurity, but don't really translate into business terms. All right. So why not just hire
a CISO? Why are contracted CISOs attractive to CEOs? That's the question I asked him, but there
are basically two reasons for this, I think, right? First is that CISOs are
expensive. You know, the average salary is just north of $200,000 and the more experienced CISOs
go for a lot more. But the second one, and probably the more important one, is business experience.
You know, newly minted CISOs are likely coming in from the tech side of the house or rising up from the InfoSec ranks,
they don't have a lot of business experience yet. So, with a fractional CISO, you can get the advice
of a seasoned pro, someone who's been there and done that, especially for small to medium-sized
organizations that don't have a lot of resources and don't know where to start. A fractional CISO
is a viable alternative. So, on this week's CSO Perspectives episode,
I interviewed Todd about this new fractional CISO development. And then we talk about the
evolution of the CISO job and where it might go in the future. All right. Well, that is on the pro
side, the subscription side of the house. What's the episode that you're sharing over on the public
side? Yeah. So each week we pull an episode from the CSO Perspectives archive
and make it available to everybody in the public feed.
This week's show is one of my favorites, Dave.
It's from March of this year.
It's about intrusion kill chain models.
And you've heard me flap on about this over and over again.
Yeah.
But most listeners are probably familiar
with the Lockheed Martin kill chain model
and the MITRE ATT&CK framework.
Some are even aware of the DoD's Diamond model.
But I would guess that most think those are three distinctive and completely different models.
But that just isn't true.
They're all pretty much in the same vein.
One's a strategy document, Lockheed Martin.
One's an operational construct for defensive action like MITRE. And one's a
methodology for cyber threat intelligence teams, the Diamond Model. So in this show,
we'll talk about how they all work together and how they can work in your own organization.
All right. Well, before I let you go, what is the phrase of the week over on the WordNotes podcast?
Yeah, we had a little fun this week with this one. The word is SSIDs or Service Set Identifiers.
These are the names of Wi-Fi networks we connect to,
you know, when we're at the local Starbucks,
our hotels and our homes.
So we explain what SSIDs are
and even review the top five funniest neighborhood SSID names.
And I'll give you a hint, Dave.
The SSID I use in my home router, the name that all my neighbors see when they are connecting to their own Wi-Fi routers, is FBI Surveillance Van number 37.
Yes, I was just going to say FBI Surveillance Van.
I think that is practically a cliche.
My other favorite is Abraham Linksys.
a cliche. My other favorite is Abraham Linksys. There's about a few thousand websites that lists all these great names, so I highly recommend them. Right, right. Absolutely. All right. Well,
Rick Howard, again, is the CyberWire's chief security officer, also our chief analyst,
and the host of the CSO Perspectives podcast. Rick, thanks for joining us.
And joining me once again is Robert Boyce.
He is a global lead for cyber resilience and an advisory board member at Accenture. Rob, it's always great to welcome you back to the show. I want to touch base with you
today on some of the things that you and your colleagues are tracking when it comes to dark web
actors and some of the tool sets that they're using. What can you share with us?
Yeah, thanks, David. I'm happy to be back, as always. You know, I think there is probably an understanding to some level of the
tools that threat actors use in general to complete their missions. And, you know, I think a lot of
people probably have the perception that there's a lot of free tools that they're using, underground
tools, and also tools that they're making. And yes, those are all true. But what maybe a lot of people don't realize
is that there's also a lot of commercially available tools that the attackers are using.
And these tools are typically targeted towards, you know, the white hat hackers who are doing
pen tests and checking for vulnerabilities, similar to what Accenture does for our clients,
you know, just making sure that we're being able to simulate what a threat actor would do.
And there have been a number of these tools, probably most famously Cobalt Strike,
that threat actors love to use as well.
And so when we are in the field doing a lot of our incident response,
we often see Cobalt Strike as part of the command and control framework
that the attackers are using.
And we have seen threat actors on dark web
marketplaces selling access or selling codes or selling licenses or cracked versions of the
software for threat actors to be able to use. And so it's becoming a well-known tactic of threat
actors. What we've started to see is that a lot of some of the other additional commercially available tools are now also being targeted for use by threat actors.
So we're seeing them just look for other commercial tools similar to Cobalt Strike.
Brut Retail C4 is one that comes to mind now that we're starting to see in the field.
Again, this is a commercially available product.
see in the field. Again, this is a commercially available product, and now we're starting to see threat actors sell licensing or cracked versions of this software as well, which is also super
interesting to me as they're starting to pivot from one tool to another to try and help avoid
detection. Yeah, I was going to ask you about that. I mean, when folks are using legitimate
tools here, tools that legitimate pen testers use, is it likely that those tools have a better
chance of getting in or may not raise the same level of alert as some sort of illicit tool?
That shouldn't be the case, right? There should be, you know, detection strategy should be
in place comprehensive enough to be able to detect the commercial tools and the underground tools. But what I do see is, you know, these tools are just convenient. You know, they're packaging up what you would have to say use four to five or six different bespoke tools or homemade tools into one package. So it just makes it a little bit easier for them to be able to operate against their mission.
What we are seeing is a lot of defenders,
now that, say, Quoval Strike, for example,
is a well-known tool for attackers,
they do start to overpivot to look for indicators of that tool set.
And so other tools then, like Brutal or Nighthawk
or others that are commercially available products,
maybe because they may be newer
or they have different evasion techniques,
they're not as easily to be detected
in the infrastructure of a lot of organizations today.
So being able to move from one tool set to another is allowing them to
avoid detection for longer periods of time.
I can't help thinking that we hear the stories about
cracked versions of commercial software often
having malware within it. And I can't help wondering if
some of these folks on the dark web who are going after these cracked versions of these tools find themselves being victimized by some other people in the ecosystem.
But I got to tell you, Dave, I think I never cease to be surprised or amazed of really how ethical the underground community is in the dark web.
Because if you do not follow through with your commitment or you're selling something that may have embedded malware in it, you're probably not going to make another sale. So it is always surprising to me just how –, just how, I mean, the ethical is not the right
word, but honor among thieves, right? Exactly. Exactly right. So in terms of what folks can be
doing about this, any words of wisdom there? Yeah, absolutely. You know, I think one thing that
I have found that a lot of organizations are heavily reliant on endpoint telemetry now,
leveraging their antivirus, leveraging their EDRs, which are great, and they should be.
But when we're thinking about things like data exfiltration, as well as command and
control frameworks, we need to be looking at the network level as well.
And so what I'm finding is there's just been an over-rotation to endpoint telemetry and
not enough focus on network telemetry. So it really will
be important for organizations to truly understand what type of network telemetry from the devices
they have will help them identify things like command and control frameworks. And then, of
course, start doing some proactive hunting for those. And sometimes the only way to identify
these is through a proactive threat hunt, because there may not be a telemetry that's sufficient to be
alerting on the presence of these, and you may need to go and look for them, which is why we're
always recommending organizations not just sit back and hope that their detection rules are
sufficient, but to also go out and proactively look for indicators of C2 and other frameworks
like that.
Well, Rob Boyce, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant. Breaking news happens anywhere, anytime. Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security. I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of
the startup studios of DataTribe, where they're co-building the next generation of cybersecurity
teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Guru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.