CyberWire Daily - "Read the Manual" and the ransomware-as-a-service market. Bitter APT against energy companies. Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Aan arrest in the Discord Papers case.
Episode Date: April 14, 2023"Read the Manual" and the ransomware-as-a-service market. Bitter APT may be targeting Asia-Pacific energy companies. A Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Deepen Desai of ...Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge from Fastly with insights on the risks from bots. And there’s been an arrest in the Discord Papers case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/72 Selected reading. Read The Manual Locker: A Private RaaS Provider (Trellix) Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer) Espionage campaign linked to Russian intelligence services (Baza wiedzy) Russian cyberspies hit NATO and EU organizations with new malware toolset (CSO Online) Pro-Russia hackers say they were behind Hydro-Quebec cyberattack (Montreal CTV News - 04-13-2023) Cyberattack knocks out website and mobile app for Quebec’s hydro utility (Toronto Star) F.B.I. Arrests National Guardsman in Leak of Classified Document (New York Times) DOD Calls Document Leak 'a Criminal Act' (U.S. Department of Defense) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Read the manual and the ransomware as a service market.
Bitter APT may be targeting Asia Pacific
energy companies. A cozy bear sighting. Activist auxiliaries hit Canadian targets. Deepened
a sigh of Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge
from Fastly with insights on the risks from bots. And there's been an arrest in the Discord Papers case.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, April 14th, 2023.
Trellix shared some behind-the-scenes insight into the operations and goals of the Read the Manual Ransomware as a
Service gang yesterday, known prior for their ransomware activity against corporate enterprises.
The threat actors also have a notable specific set of rules that require strict adherence from
affiliates. The gang requires its affiliates to remain active or make their leave known, lest 10 days pass without notification,
in which case the offending affiliate will be locked out of the gang's control panel.
Accessing the panel requires a username and password for affiliates, as well as the entry of a CAPTCHA code.
Once the user has entered the panel, they can add ransomed victims and set a timer for the release of the data.
A section of a ransom note from the gang reads,
All your documents, photos, reports, customer and employee data, databases, and other important files are encrypted, and you cannot decrypt them yourself.
They are also on our servers.
Trellex reports that certain targets
are considered off-limits. Former Soviet republics are excluded, as well as morgues, hospitals,
and COVID-19 vaccine-related corporations. For some reason, dentistry is fair game. The use of
the word hospitals rather than doctor's offices as a point of exclusion is also highlighted by the researchers.
One rule in particular emphasizes the avoidance of making headlines, which also removes vital infrastructure, law enforcement, and other major corporations as targeting points.
In the case that a major corporation is impacted or makes headlines,
all references and traces connected to the RTM gang are to be immediately removed with negotiations to take place on a differing platform.
The researchers suspect that there are affiliates and gang members
on opposite sides of the war between Russia and Ukraine.
In any case, the gang seems to be opportunistic in their attacks
and driven by financial as opposed to political motives.
Inteser concludes that a new string of energy sector-targeted phishing attacks
are using tactics that resemble those previously used by Bitter APT. Bitter APT is a South Asian
threat group that commonly targets energy and government sectors.
They've been known to target Pakistan, China, Bangladesh, and Saudi Arabia. The group makes
its approach through phishing. Although Bitter APT's involvement in the attacks is not fully
confirmed, there are circumstantial grounds that point in its direction. The researchers have found
that the threat actors
are using the same tactics previously observed by the Bitter APT group, such as the use of
Microsoft Office exploits through Excel files and the use of CHM and Windows installer files.
The exploits have been noted to initiate with an email to personnel in the energy sector being invited to a conference or roundtable.
Inteser writes,
The lures are designed to socially engineer the recipient to download and open an attached RAR file
that contains either a Microsoft-compiled HTML help or Excel payload.
Inteser advises that entities in government energy and engineering especially those in the
asia pacific region should remain vigilant when receiving emails especially those claiming to be
from other diplomatic entities always verify that the sender is trusted and understand that even if
it claims to be from a particular person it might might not be. CERT Polska, Poland's cybersecurity
authority, warns that APT29, the unit of Russia's SVR foreign intelligence service that's also
tracked as Cozy Bear and Nobelium, is actively pursuing diplomatic targets in many nations,
principally NATO members. The campaign's goal is espionage, and its approach is spear phishing.
The warning states,
In all observed cases, the actor utilized spear phishing techniques.
Emails impersonating embassies of European countries were sent
to selected personnel at diplomatic posts.
The correspondence contained an invitation to a meeting
or to work together
on documents. In the body of the message or in an attached PDF document, a link was included
purportedly directing to the ambassador's calendar, meeting details, or a downloadable file.
Polish authorities recommend that organizations implement configuration changes to protect themselves from Cozy Bear's come-ons.
The Russian hacktivist auxiliary NoName05716 claimed responsibility for a DDoS attack against
Hydro-Quebec yesterday. CTV News Montreal quotes the group's communique. Continuing our visits to
Canada, the website of Hydro-Quebec, the company responsible
for generating and transporting electricity in Quebec, was put down. The Toronto Star reports
that the power company's website and mobile app sustained disruption. Power generation and
distribution were unaffected, a Hydro-Quebec spokesman said, nor were customer data compromised.
a Hydro-Quebec spokesman said, nor were customer data compromised.
They did not take any information from us.
It's an attack on our website that makes it unavailable for our customers, unfortunately, the spokesman said.
Hydro-Quebec is the province's major supplier of electricity.
It's also a major exporter of power to the U.S. state of New York. And finally, whatever influencer fantasies may
have been driving OG and the Thug Shaker Central followers who hung on his Discord posts,
the reality principle asserted itself yesterday in the form of an FBI raid on the alleged leaker's
home in Dighton, Massachusetts.
Airman First Class Jack Teixeira was arrested at his home yesterday in connection with his alleged role in the leak of classified information over Discord.
The 21-year-old cyber transport system specialist is, or was,
assigned to the Massachusetts Air National Guard's 102nd Intelligence Wing at Otis Air
National Guard Base on Cape Cod. An airman first class is a junior enlisted rank, an E-3,
the equivalent of a U.S. Army private first class or a U.S. Navy seaman. The New York Times observes
that how Airman Teixeira obtained access to the range of classified information he's
alleged to have shared under his hacker name OG with the even younger members of his Discord club
remains unclear. The investigation continues, and according to Reuters, Discord is cooperating with
authorities. The U.S. Department of Defense has pointed out that leaking doesn't amount to declassification.
Pentagon Press Secretary Brigadier General Jack Ryder said,
Just because classified information may be posted online or elsewhere does not mean it has been declassified by a classification authority.
We're just not going to discuss or confirm classified information due to the potential impact on national security,
as well as the safety and security of our personnel and those of our allies and our partners.
And for that reason, we will continue to encourage those of you who are reporting this story
to take these latter factors into account and to consider the potential consequences
of posting potentially sensitive documents or information online or
elsewhere. So, stand by and beware of the leaks.
Coming up after the break, Deepan Desai from Zscaler describes job scams following tech layoffs.
Our guest is Kelly Shortridge from Fastly with insights on the risks from bots.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
The bar has been lowered for criminals looking to employ bots for fraud and abuse, with an increasing availability of bot platforms and turnkey solutions.
Kelly Shortridge is Senior Principal for Product Technology at cloud services provider Fastly. I reached out to her for insights on battling bots.
bots? One of the trends I think is often overlooked when we talk about bots, which is very much that they're part of the nefarious scourge of automated attacks. And this is really about attackers being
able to operate in scale and automate their operations, whether that's something like
credential stuffing or some of the more business logic specific attacks that I just mentioned.
So we have kind of across the board, including
things like Cobalt Strike, by the way, when we are looking at more traditional flavors of attack,
but attackers are really starting to automate and scale all of their malicious aims, which is
generally undesirable, right? Especially given that defenders in cybersecurity are not really
known for being particularly adroit at automating and scaling what
they do. Attackers are very good at that, it turns out. So I'm thinking about kind of the spectrum of
it. A lot of it really has to do with the fact that it is very cheap now from an attacker perspective
to pursue some kind of like account takeover campaign. I think it's on the dark net, you can
get a campaign started for as little as like
$3 or something like that. It's often very cheap. I'd like to think of it in economic terms as like
the barrier to market entry has been lowered. So you no longer have to be a specific cyber
criminal organization. You could very much be a criminal organization that wants to dabble
in cyber business pursuits. And now essentially essentially, it's just much easier and lower
friction to get into the market and start to automate some of these bot attacks. So I think
that's a big driver that we see is simple ROI. Attackers get economies of scale from pursuing
bot attacks, and they're able to pursue it across a bunch of different avenues.
So in a way, it's kind of like diversifying the revenue streams. And indeed, I mean, there are
folks out there offering these bot as a service platforms where, you know, you can, as you say,
it doesn't cost a whole lot of money to wrangle up a collection of bots to do your bidding.
to wrangle up a collection of bots to do your bidding.
Absolutely. It can be very inexpensive.
And I think it actually matches the meta trend that we see in commercial, legitimate B2B software.
More things are becoming as a service, both for us and for attackers as well.
With ATO specifically, I think it's as little as $5 to $25, like you were saying. It just makes it really easy to diversify those revenue streams.
And again, it's very much, I think, matching what we see in the commercial world too.
I think to your point, there's the rise of different ransomware as a service operators.
In the sneaker bot world, it's the AIO, which is for all-in-one bot.
There are also other bot platforms or bot-as-a-service platforms like Century MBA for credential stuffing.
It really runs the gamut.
And then, of course, like I said, there's Cobalt Strike, which is the classic platform for your more traditional attack styles.
And so what are we seeing in terms of the evolution of defenses against this?
That certainly is something Fastly thinks about a lot. And obviously, we already do a lot today. And a lot of what I've talked about really drives our focus on what we call both anti-automation and anti-bot and actually anti-fraud, because a lot of companies think about it through that lens. So we're essentially trying to help automate and scale defense against bots and automated attacks of all kinds. This includes not just what we build, but also we support a lot of initiatives we believe in. So I'll mention a few.
what we build, but also we support a lot of initiatives we believe in. So I'll mention a few.
If you're familiar with Apple's private access tokens and then Google's private stake tokens,
both of those are a way to help automate and scale defenses by design, which is really what we want.
We don't want those bolt-ons. They don't work as well. And importantly, with both of those initiatives, it's in a way that's invisible to end users, which we shouldn't expect end users
to be experts, right? They're not technical most of the
time. And it's on us to make sure that the solutions to protect against bots and the bad
outcomes of bots for those end users, we need to make sure it's just seamless for them. So these
innovations are no longer requiring users to jump through hoops with annoying captchas. I know I
fail captchas a lot, which makes me wonder
in a very Blade Runner way, like, am I a bot when I'm failing these captures? I'm sure I'm not the
only one. Because who among us hasn't wondered like, okay, should we click the square that has
that tiny, tiny sliver of crosswalk? Does that count? Right. Suddenly you're having an existential
crisis. Exactly. So we don't want to, listen. Our industry is already not particularly liked by other people. We don't want to be causing existential crises. So implementing these defenses by design is just a really important strategy when we think about the scope of, you know, what's a modern way of protecting a modern Internet from harm by bots.
Some of the other defenses that are often overlooked, I think rate limiting is one of those things, weirdly, people take for granted because it's been around for a while.
It's in the words of, I don't know if there are any great British Bake Off listeners listening to this, but Paul Hollywood, the judge, always says, it's simple but effective.
Rate limiting is very much simple but effective.
It's not fancy, but it works. And that can even protect against developers, you know, make a mistake when they're calling
an API and accidentally DOS it, which has a similar sort of outcome as a bot in some
cases.
And the lovely thing about rate limiting is that it doesn't have to require user interaction.
It can very much serve as like a safeguard rather than just some sort of, you know, alerting
device or even worse, like an administrative control or policy, both of which
are less reliable just because they rely more on human attention and human attention is very much
finite. I think back to the CAPTCHAs, right? The existential crisis generator. It relies very
heavily on human attention and it doesn't really respect that attention. And in some sense, you can
think about it as a very antiquated technique that was a very convenient bandage for a while.
It was particularly convenient for content providers, not so much end users, of course,
but it really isn't fit for solving some of these modern problems.
To what degree do you suppose organizations should be preparing for that kind of low-level
nuisance sort of thing, the day-to-day stuff that's going to be coming at them,
low-level nuisance sort of thing, the day-to-day stuff that's going to be coming at them,
versus the episodic flood of activity that can lead to a very bad day?
It's a great question and one that customers and then other organizations ask us and me a lot.
My view is certainly you need to think about what's the biggest impact to your business. If a nuisance, like low volume thing,
maybe it causes a little disruption to end users, but not enough that they migrate away from the
platform or reduces the amount they spend. Maybe you don't worry about that so much. Maybe you
try to offload it onto a provider rather than investing a lot in building some sort of solution
yourself. Especially, you know, as everyone says right now, in these macroeconomic conditions.
But in truth, in these macroeconomic conditions, budgets are finite.
So you need to prioritize pretty ruthlessly.
And it means, like you said, something that's maybe a flood that could disrupt your business.
You might want to invest more.
Maybe that's offloading it onto a provider that specializes in it.
Certainly, that is the option that officially Fastly would like because we are experts in
dealing with these problems.
But realistically, there's some organizations that have really good platform engineering
teams that can build these kind of solutions as well.
So my take is always you need to think about what's actually going to impact your business
and invest accordingly.
And you need to think about what are the must-haves versus nice-to-haves versus it's kind of like checking a box and then is it a waste of time?
Certainly what we see from customers is eventually nuisance threats can add up.
If you have a small nuisance that ends up at scale becomes a pretty widespread problem.
I think a lot of people listening have probably seen the problem of maybe this is just a New Yorker sort of problem.
But fake review bots where you have no idea like, OK, is this sushi place actually good?
Or this like a kind of like widespread bot posting a bunch of like, this tasted great sort of messages.
That's very much not very impactful.
But once it scales, you start to have end users being like, okay, well, I'm not going
to trust these reviews anymore.
So that's something, again, that's very specific to a company's business logic.
And in general, you do need to think in terms of like, what's the business logic that matters?
Why do customers use our platform or service or app?
And what kind of disruptions to their end user experience
will actually cause harm?
And then you can invest accordingly.
That's Kelly Short more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
And joining me once again is Deepan Desai. He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, always a pleasure to welcome you back to the show.
You know, we have been seeing a lot of layoffs in the tech community lately. And I know you want to point out that there are some scammers out there who are looking to take advantage of that unfortunate reality.
Yes.
that unfortunate reality?
Yes.
So this is a campaign that we started tracking this year,
especially after so many layoffs happening in the tech industry. We noticed that these folks are essentially setting up pages
with fake job postings.
And the content is almost entirely mirrored
from the original content on these organizations whose job postings are being leveraged. and other tech companies that we saw where threat actors took the job posting
of these organizations
and then they were targeting those job seekers
who were potentially laid off
and performed financial fraud.
So to give a quick rundown,
Zscaler Threat Labs team,
as part of our tracking, observed multiple suspicious
job portals and surveys, which are essentially being used to solicit information from job seekers,
but under the guise of these organizations, which are trying to hire even in these trying times.
organizations, right, which are trying to hire even in these trying times.
Threat actors did masquerade as recruiters from these organizations. So they will say, if you are a recruiter for company A, they will take your image.
They will create a Skype profile.
They will use your name and picture to reach out to these victims.
use your name and picture to reach out to these victims.
They will also register a domain that matches the organization that they're trying to use in targeting these job seekers.
So let's take an example, zskiller.com.
So what they can do is they will go zskiller.work or zskiller.live.
What they can do is they will go zskiller.work or zskiller.live.
Any of those generic TLDs will be leveraged to set up a page where this job posting will be listed.
And then they will reach out to these folks with links pointing to this job posting.
And then they will schedule an interview.
The victim will always pass the interview. I've heard stories of
three hours, five hours long interview where more than one person talks to these victims.
And then at the end of it, it's kind of sad. The guy on the other end feels happy that they've
cleared the interview.
They're looking forward to getting employed again.
But the folks over here, they're essentially trying to scam them out of money and then also collecting the sensitive information.
Well, that was going to be my next question. What exactly are they after here?
How are they trying to get money from these folks or that information
from them? Yeah, so there are a couple of things they will do. One, obviously, is the information
that they will make these candidates fill out as part of the job application. So they will have a
lot of details collected as part of it. The second thing that we noticed in a couple of the cases, one was where they will ask the employee to make a payment in order to ship IT equipments.
So that was one.
Another one was they will ask the employee to make a payment for this training that they want the candidate to go through,
the new hire training, which is very surprising. But yes, that's one of the tactics that they use to ask the candidate to pay money.
And they're promising reimbursement that will obviously never come.
Correct.
Yeah.
All right.
Well, you know, scammers take advantage of people when they're at their weakest.
And it is a shame. Very sad, as you mentioned.
Yep.
Stephen Desai, thanks for joining us.
Thank you, Dave.
Thank you. why. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Scott Fanning,
Senior Director of Product Management and Cloud Security at CrowdStrike.
We're talking about the first ever Dero cryptojacking operation targeting Kubernetes infrastructure.
That's Research Saturday.
Check it out.
The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out
of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Jason Cole, Joe Kerrigan,
Carol Terrio, Maria Vermatsis, Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson, Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.